By Andrew R. Lee and Jim Kearns, Jones Walker LLP
Data and network system breaches come in all shapes and sizes, but they tend to have one common element: the human. Broad industry surveys have consistently focused on employees as ultimately responsible—most commonly as a result of negligence—for four in five of all harmful cyber breach incidents. This means that a person inside a breached organization is the vulnerability touch point in more than 80% of the cases.
We know the pattern all too well. Criminal actors count on the fact that a small percentage of employees will fall for deceptive phishing emails. Over many years, the Verizon Data Breach Investigation Report survey has found that a steady 3% of email recipients will click on deceptive, destructive emails that can have devastating effects. That success level is sufficient for criminals to continue to use phishing as the entry tool of first choice. In situations where the criminals steal credentials, they are often able to launch crippling attacks.
Another employee-dependent attack exploit is a business email compromise (BEC), which criminals utilize primarily for immediate short-term financial gain. While not necessarily a credential-stealing vector, BECs can be highly damaging to an organization’s confidence and cash flow. Characterized by the FBI as one of the most financially damaging online crimes, the BEC threat exploits the fact that most of us rely on email to conduct business.
A BEC attack is more targeted than a phishing email: the perpetrator typically sends a highly convincing email message to a specific company employee, spoofing an authorized sender and making an apparently legitimate request. For example, BEC perpetrators often pretend to be known vendors who request that recipients use different wiring instructions to pay invoices, directing funds to criminal-controlled bank accounts.
Even more targeted and pernicious are social engineering attacks, which typically involve direct interaction with victims over lengthy time periods. In such an attack, the perpetrator usually first investigates the intended victim to gather background information, then moves to gain the victim’s trust and provides incentives for the victim to violate security practices. Ultimately, the victim may reveal sensitive information or grant the hacker access to critical company resources. How well an organization trains its employees to detect and avoid phishing, BEC, and social engineering attacks is directly correlated to its overall cyber resilience.
Jones Walker’s 2018 maritime cybersecurity survey found that employee cyber training was wanting among maritime industry stakeholders. For instance, when asked how often their employees were required to participate in cybersecurity training, half of respondents from smaller companies reported that they never require their employees to participate. This must improve. Firewalls and other software and hardware solutions do little to protect against phishing, BEC, and social engineering attacks, so it is important that organizations implement strong security awareness programs as an essential component of their cybersecurity defense plans.
Awareness training is a necessary first step, because a cybersecurity threat cannot be avoided or reported if it is not recognized. Many helpful websites provide rudimentary training for how to detect telltale signs and examples of phishing emails. Phishing emails are now so frequent that employees themselves can probably provide examples from the ones they have received. In addition to robust training exercises that test employees’ propensity to falling for dangerous phishing attempts, a regular training program can give rise to a routine practice where employees forward such emails to the organization’s IT security personnel, who can use the data to warn other users as well as to further refine training exercises.
BEC and social engineering attacks are more difficult to detect because they are curated for a specific victim who has been lured to “trust” the attacker. Nevertheless, even in these cases there is usually something “off” that should give the victim pause, such as a request that is out of the ordinary, or a suggestion to cut corners, or an insistence on urgency. Training is essential so that employees know how to defend against such attacks. Real world examples should be included in the training to emphasize how each employee’s participation in the company’s security is important. Employees should also know whom to call to reports suspicious request, and that their calls will be promptly answered.
While examples are an effective training tool, conducting actual simulations of employee-directed cybersecurity threats are an important part of any organization’s training regimen. It can be well worth the expense for an organization to hire an ethical hacker on a routine basis to conduct a campaign of phishing, BEC, and even social engineering attacks. The chagrin of having taken the bait, on the one hand, or the pride of having spotted the ruse, on the other hand, will leave a lasting impression on all involved.
A word about frequency. A commonly accepted rule of thumb is that training in cybersecurity awareness and other good workplace practices should be refreshed at least yearly, and that the participation of all employees in such training should be made a priority and tracked. Such training should also be made part of each new employee’s onboarding process.
Adequate training requires investment. Maritime stakeholders must invest time in the cybersecurity training process to ensure that the behavior modification is effective and enduring. Training can improve many behaviors that directly impact security, such as teaching “what not to click” and emphasizing password hygiene, and also in training the user to scrutinize seemingly innocuous emails. Hackers are resourceful and clever, and reducing or eliminating harmful email clicks is essential to avoiding cyber breaches that can result in data loss, network downtime, or the often-devastating ransomware attack.