It is an executive’s nightmare: a successful spear phishing attack that opens up your network or system to hackers, due to one ill-advised click. The scenario is bad enough for your personal computer, but potentially much worse for your organization or business.
By now, most business owners probably hope their employees know enough not to fall for such tricks. But then again, you would hope most employees know what to do in a fire. That doesn’t stop companies from conducting fire drills.
A U.S. Army combat commander recently caused a small panic by conducting such a spear phishing drill on his own initiative. The dummy phishing attempt warned of a security breach in Army employees’ Thrift Savings Plan (a retirement plan widely used in the federal government) without any prior agreement with, or warning to, the thrift plan’s managers. The targeted workers were directed to a dummy site and told to log in and reset their passwords. This is spear phishing, an approach popular among hackers who want to steal website credentials.
In this instance, the small group of Army workers who received the bogus message forwarded it to others. Alarm about the fictional security breach quickly spread to multiple federal departments. It took weeks to clear up the resulting confusion.
Though the execution was flawed, the idea of simulating a spear fishing attempt has a lot of merit. The more often you test your employees with decent bait, the smaller the odds that they will fall for a truly malicious attack. If someone is going to make a mistake, such a test gives them a harmless place to make it. That’s good employee training. In effect, you are crying wolf to teach people to ignore wolves.
Phishing is not the only type of network attack employers need to worry about, but it is an enduring one; it has troubled companies and governments, as well as individuals, for the past decade in one form or another. Three years ago, security firm RSA (whose employees presumably should have known better, if any employees should) suffered a spear phishing attack when an employee removed a suspect message from the system’s junk folder and opened a compromised attachment. More recently, an attack focused on Forbes. A senior executive opened what she thought was a time-sensitive link on her iPad, allowing the Syrian Electronic Army access to the news organization’s website and backend data. The costly security breach at Target last year is reported to have begun with a phishing attack.
Phishing exploits the human element in an organization’s technology. Though all employees should know by now to be suspicious of unsolicited or unexplained links, requests for credit card data or login credentials, or attachments they were not expecting, sometimes people get careless. Caution should be so ingrained as to be instinctive. That’s where drills can come in.
Companies should of course make sure their anti-malware protections are up-to-date, but many of them are going further and tackling the problem at the source: the human beings who use software. Energy companies, including Shell, have used a variety of simulated email attacks to evaluate their workforces, often demonstrating the need for more robust education. And a variety of companies, such as PhishMe and Dell SecureWorks, offer services or software meant to make it possible to use such a simulation to educate employees. New York state has used simulated phishing to evaluate employees since as far back as 2005, The Wall Street Journal reported last year.
Though the army commander’s internal test created a great deal of angst in federal government circles, I think the underlying theory is both sound and necessary. The problems in that case mainly arose from using the name of a real agency without its cooperation and acting without oversight from above, but some element of perceived authenticity is necessary for a proper test. After all, malicious phishing attempts will try to look like a trusted sender, whether a large bank, online retailer or personal acquaintance.
I like the idea of testing employees, not to trick or punish them, but to teach a lesson in a generally harmless way. This sort of exercise should be routine, though unpredictable enough to make it effective.
Of course, the next hazard will be fraudulent consulting companies offering phishing training that includes actual malicious phishing. Managers will then have to determine whether would-be vendors are legitimate or whether they actually plan to phish the information they gain. It is one more thing for security-minded business owners to guard against.
Welcome to the future.