The Phishing Epidemic

Hello Fellow Readers,

I would like to start by thanking CyberDB, the leading databank of Cyber technologies and products for inviting me as a guest blogger on their website. Thanks CyberDB!

You are constantly bombarded by them. Every single second, minute, and hour. Yes, I am referring to phishing emails! As you may know, phishing scams have become a very big problem for organizations of all sizes. In fact, The Anti-Phishing Working Group (APWG)observed more phishing attacks in the first quarter of 2016 than in any other three-month span since it began tracking data in 2004.

We have to deal with it in our personal lives and more so in our professional lives as well. For starters, we have to realize that a breach can devastate an entire organization and cripple it within a matter of no time. We are not only seeing an ever-increasing number of traditional phishing emails going out in the masses, but also seeing more spear-phishing emails going out too! Why should this be a concern for your small business? Or rather, why should this be a concern for your Fortune 500 company that you are employed by? For starters, a breach does not discriminate. It is the penetration of an organization in which there was a weak element that was able to be exploited.

For those that own a small business it can be somewhat overwhelming to think about employing additional security measures and rightfully so. Implementing an IDS can be costly, doing business with an outside vendor for security monitoring can be costly, and to top it all off, not PROPERLY training your employees from the get go can be extremely costly! Folks, this is very important! Not properly training an employee can be detrimental to your entire organization. How so you ask? Well, let’s hypothetically say that one of your

How so you ask? Well, let’s hypothetically say that one of your employee’s received an email for a purchase order being made and all they needed to do was sign off on it, and send it to accounts payable. Let’s also assume that this email knew a lot of personal information about that particular employee of yours and targeted that employee in particular. Uh oh! Your employee just got breached! More specifically, your employee was the target of spear-phishing. Is it time to hit the panic button yet? If the answer was yes, then great! Let’s stop for a brief moment and just examine what happened here. Your employee was studied, researched, and more than likely analyzed by the attacker. If the employee’s job is to check purchase orders coming in and then approving them to be sent off to account payable then they can be a very easy target. After all, the employee probably sees hundreds upon hundreds of purchase orders coming in daily, and signing off on an additional purchase order would just be another transaction or task if you want to call it that. This can be a very scary reality for many organizations. However, this is even more devastating for a small business. A small business usually does not have the resources that a large organization has access to and thus, can be open to constant attacks with more ease. Where do we even begin to address this issue? It is crucial for an organization to understand their vulnerabilities.

Not all people are the same and this holds true of employees. Not all employees are the same and some may be more susceptible to clicking a link in a phishing email and compromising your organization. Your ultimate success will be in how you train your employees. Let’s first start with conducting a risk assessment to your overall organization. After identifying the targets (your employees) we then can build a program based on emails to generate to your employees. After we have built some email templates and tailored them to your organization’s needs, we then can arrange for the next steps in initiating your risk assessment campaign. The next step in your process should consist of adjusting your campaign parameters to be in line with the duration and additional criteria you have specified. You are now ready to launch! It’s exciting and can be a little nerve-racking to say the least, but this is what is best for YOUR organization. It’s always important to keep that in mind. After a successful campaign and a careful review of your campaign metrics you can now build a training program to teach your employees what to look out for. This should not be a scolding lesson but rather, an opportunity for your employees to realize there short-comings and then build on that moving forward. Will there be employees that will be hesitant? Yes, of course there will be! That’s why you should spear-phish them. I’m just kidding! Or am I? hint, hint…..When you are ready to put together your training and awareness program for your employees there is a little bit of organization involved. For starters, you will need to make sure that you have identified the employees who were susceptible to the phishing emails that you generated and then educate them on what made the email a phishing email to begin with. Training and awareness should go hand in hand and incorporate lessons learned from the campaigns that you just wrapped up. What I would personally recommend is for you to come up with a risk rating system in which you identify the level of risk the employee poses to your organization. You can incorporate a risk rating into your campaign metrics to match higher risks to your organization and then mitigate against those risks. The level of scrutiny that an employee faces will undoubtedly be based

Training and awareness should go hand in hand and incorporate lessons learned from the campaigns that you just wrapped up. What I would personally recommend is for you to come up with a risk rating system in which you identify the level of risk the employee poses to your organization. You can incorporate a risk rating into your campaign metrics to match higher risks to your organization and then mitigate against those risks. The level of scrutiny that an employee faces will undoubtedly be based off of their risk rating. However, as I had stated earlier, the purpose of training and awareness should not be of scolding the employees but rather, in educating them to not repeat the same mistakes again. A good approach would be to have the employees with a higher risk rating to undergo some additional training. This can be in the form of dedicating a certain amount of time per month, in additional training and awareness, and then completing a test that you have put together. Also, shortly after your campaign has been completed, it would be a good idea to send out a survey to your employees. It is a good way to gauge employee feedback and you can use it later for identifying the progress of the risk assessments you are conducting.

By: Alex A. Kayayian Blog: www.cybertimestoday.com
LinkedIn: https://www.linkedin.com/in/alex-a-kayayian-27bba3a