Part 4 of a 5-part series.
I’m not going to beat around the bush here. Uncomfortable Truth #4 is quite simple:
Users are NOT the problem.
There. I said it. If this statement seems at odds with your current thinking, don’t close this browser window just yet. Stick with me, and the effectiveness of your phishing defense programs could be changed for the better.
Let’s illustrate with a story from Malcolm Gladwell.
In his book ‘Blink’, Malcolm Gladwell tells of the Getty Museum in New York buying an ancient Greek Kouros statue—a tale of man triumphing over machine, as it turned out.
To cut a long story short, the museum was offered what they considered to be one of the finest examples of a Greek Kouros statue the world had seen. They were understandably excited, but cautious – the asking price was $10m – a lot of money now, but a more considerable amount in 1982.
The statue was borrowed, and tests were organised to verify authenticity. The stone was analysed, providing its age and an assertion to where it came from. Scientists confirmed that the calcification on the stone was merely the result of being in the ground for hundreds of years. The accompanying paperwork checked out, and the museum agreed to the purchase.
But despite the museum’s checks, upon viewing the statue, many art historians and specialists had the same reaction. An ‘intuitive repulsion’ in the first few seconds of seeing it that led them to react – “it’s a fake.” None of the doubters could quite put their finger on what specifically it was about the statue that made them react so quickly the way they did, other than it just didn’t look right.
What does a story about a Greek statue have to do with phishing defense?
The museum relied on technology and science to confirm authenticity. However, subsequent analysis based on human intuition found that (1) the calcification of the stone could be replicated with potato mould, and (2) addresses on the supplied paperwork just didn’t exist when the documents were claimed to have been created. Despite all the available technology and science, gut reaction yielded a better conclusion.
Harnessing this intuition can be transformational to phishing defense. Rather than try to cut our users out of the loop and rely upon technology to keep us safe from phishing threats, we must exploit this natural intuition or gut feel. We have to recruit our users into a network of human sensors to provide visibility to phishing attacks that have made it to the inbox. Afterall, if the user doesn’t tell us, nothing will.
Your users can and should help detect real attacks.
Phishing simulation is an essential element of an overall phishing defense strategy, but it should never be used to ‘test’ our users – phish testing is the antithesis of phishing defense. Phishing simulation must be used to keep the threat of phishing front and center in users’ minds and keep them conditioned to constantly evolving threat actor tactics and techniques – particularly those specific tactics and techniques that we see being used against our organisations.
The primary outcome of phishing simulation should be ensuring that users understand the role they play in protecting the organisation by providing visibility of phishing attacks. Like most users, I occasionally receive emails that don’t look right. I could just delete them. However, that action protects me as an individual, but it doesn’t protect the organisation as a whole. To do this, I must sound the alarm, and help our security teams get visibility of an attack, so they can take the actions to disrupt it.
I can do this because I’ve been enabled to recognize something as suspicious, and it’s been made easy for me to report it. A single click of a button within the email client ensures that there is no process to forget, and if I really do catch one, I get timely feedback thanking me. I pat myself on the back, and am motivated and more inclined to report in the future as I know I’m making a difference.
Next and last in this series, we’ll look at Uncomfortable Truth #5 – Most organizations are unable to effectively respond to phishing attacks. Until then, learn more about anti-phishing trends in our State of Phishing Defense 2019 report.