PREDI C TI VE I NTEL L I GE NC E
There’s a machine that
stops phishing attacks.
It’s called the
human
brain
Phishing attacks remain a source of anguish for
CISOs and security professionals. But those who
choose to just throw technology at the problem are
overlooking a vital component of their defence – the
‘human firewall’. Kamel Tamimi, Principal Security Consultant,
Cofense Inc, tells us more. . . .
U
ntil human nature
changes (don’t
hold your breath)
phishing attacks
that target unwary
people will be a
headache. Two
recent headlines show the Middle East
and Africa are not being spared.
Last November, a leading regional bank
issued a customer alert about a phishing
email dangling a value-added tax refund.
Naturally, the email purported to come
from the bank. Whose pulse wouldn’t
quicken at the thought of getting some
money back?
The following month, Amnesty
International warned of several credential
phishing campaigns, likely from the
same attackers, targeting Middle Eastern
www.intelligentciso.com
|
Issue 10
and North African organisations. In one
campaign, the threat actors took aim at
accounts on ‘secure’ emails services like
Tutanota and ProtonMail.
It would be nice if automation could
solve the problem completely. But while
automated systems, Machine Learning
and AI can help, malicious emails are still
getting past the perimeter. Just ask the
regional bank and Amnesty International.
Here’s what organisations tell us
about the human factor
You could also ask organisations in the
region and across the globe. At Cofense,
we talk to them every day about effective
phishing defence. Here are some of their
insights on thwarting attacks on humans
by empowering them with the right
expertise and tools.
Let’s start with the head of information
security at a Middle Eastern university.
A few years ago, after large-scale
attacks by nation-state actors on other
regional targets, he made human-vetted
phishing defence his number one
priority, anchored by a rigorous phishing
simulation program.
When he launched the program, users
– students, faculty, administrators and
anyone else using the network – fell for
simulated phish 55% of the time. That
number has now dropped to close to
10%, with the number of users reporting
bad emails up to 50%.
(FYI, Cofense data shows that the
energy industry leads the region in
phishing reporting – on average, over 16
users report a simulated phish to every
user that falls susceptible.)
33