By Andrew R. Lee and Jim Kearns, Jones Walker LLP
Data and network system breaches come in all shapes and sizes, but they tend to have one common element: people. Extensive industry investigations have consistently focused on employees as ultimately responsible, most often through negligence, for four out of five of all harmful cyber breach incidents. This means that someone inside a breached organization is the point of contact for the vulnerability in over 80% of cases.
We know the model all too well. Criminal actors rely on the fact that a small percentage of employees will fall for deceptive phishing emails. For many years, the Verizon Data Breach Investigation Report survey has found that 3% of email recipients will click on deceptive and destructive emails that can have devastating effects. This level of success is enough to keep criminals using phishing as their entry tool of choice. In situations where criminals steal credentials, they are often able to launch crippling attacks.
Another employee-dependent attack exploit is a Business Email Compromise (BEC), which criminals primarily use for immediate, short-term financial gain. While not necessarily a vector for credential theft, BECs can be very detrimental to an organization’s trust and cash flow. Characterized by the FBI as one of the most financially damaging online crimes, the BEC threat exploits the fact that most of us rely on email to conduct business.
A BEC attack is more targeted than a phishing email: the perpetrator typically sends a very convincing email to a specific company employee, spoofing an authorized sender and making a seemingly legitimate request. For example, BEC perpetrators often pretend to be known vendors who instruct recipients to use different wiring instructions to pay bills, directing funds to bank accounts controlled by criminals.
Even more targeted and pernicious are social engineering attacks, which typically involve direct interaction with victims over long periods of time. In such an attack, the attacker typically first investigates the intended victim to gather background information, then works to gain the victim’s trust and induces the victim to violate security practices. Ultimately, the victim may reveal sensitive information or grant the attacker access to critical company resources. How well an organization trains its employees to detect and avoid phishing, BEC, and social engineering attacks directly correlates to its overall cyber resilience.
Jones Walker’s 2018 Maritime Cybersecurity Survey found that employee cyber training was lacking among maritime industry stakeholders. For example, when asked how often their employees are required to participate in cybersecurity training, half of small business respondents said they never require their employees to participate. It needs to improve. Firewalls and other software and hardware solutions do little to protect against phishing, BEC, and social engineering attacks, so it’s important for organizations to implement strong security awareness programs in as an essential part of their cybersecurity defense plans.
Awareness training is a necessary first step because a cybersecurity threat cannot be prevented or reported if it is not recognized. Many useful websites offer rudimentary training on how to spot the telltale signs and examples of phishing emails. Phishing emails are now so common that employees themselves can probably provide examples from the ones they have received. In addition to robust training exercises that test employees’ propensity to fall for dangerous phishing attempts, a regular training program can lead to a common practice where employees forward these emails to IT security personnel. of the organization, which may use the data to notify other users. as well as to refine the training exercises.
BEC and social engineering attacks are more difficult to detect because they are staged for a specific victim who has been tricked into “trusting” the attacker. However, even in these cases, there is usually something “off” that should make the victim think, such as an out-of-the-ordinary request, or a suggestion to cut short, or an insistence on urgency. Training is essential so employees know how to defend against such attacks. Concrete examples should be included in training to emphasize the importance of each employee’s participation in company safety. Employees also need to know who to call to report a suspicious request and ensure their calls are answered promptly.
While the examples are an effective training tool, performing real-life, employee-led cybersecurity threat simulations is an important part of any organization’s training program. It can be worthwhile for an organization to regularly hire an ethical hacker to run a campaign of phishing, BEC, and even social engineering attacks. The grief of having taken the bait, on the one hand, or the pride of having spotted the trick, on the other, will leave a lasting impression on everyone involved.
A word on frequency. A generally accepted rule of thumb is that cybersecurity awareness training and other workplace best practices should be refreshed at least annually, and that all employees’ attendance at this training should be a priority and be monitored. This training should also be part of the onboarding process for every new employee.
Adequate training requires investment. Maritime actors should invest time in the cybersecurity training process to ensure behavior change is effective and sustainable. Training can improve many behaviors that directly impact security, such as teaching “what not to click” and emphasizing password hygiene, as well as training the user to scrutinize seemingly innocuous emails. Hackers are resourceful and smart, and reducing or eliminating harmful email clicks is key to avoiding cyber breaches that can lead to data loss, network disruption, or an often devastating ransomware attack. .