The Weakest Link in Phishing is the Human One

Posted by Stephen Ferrell
Stephen Ferrell

The modern workplace is a melting pot. If you think of all the people in your ‘office’; whether it’s virtual or otherwise, it’s likely that in some cases the only common thread you have with your colleague over the cube wall is that you work at the same place.

The workplace of today is more diverse, more educated, and more equitable than it has ever been (though we have a way to go yet). Lots of unique personalities and perspectives are brought together daily with a shared goal – to further to commercial interests of the company, or to fulfill the mission of their non-profit.

To herd all of their respective cats in the same direction, organizations try to create a common set of guidelines through mission statements, quality policies and cultural norms. A one size fits all policies blanket the workplace. The conformity further extends to the common tool-set of the 2019 worker, and along with your corporate PC, your corporate pen and your business cards, everyone gets their very own email.

WORKPLACE EMAIL

Creating email communications policies is hard enough. I once received an email from a senior member of management chastising the entire workforce for a stolen slice of pizza! But securing an organizations email accounts is exponentially more difficult to manage. Email hacking does occur (think SONY) and is often brutal in its impact on reputation and the bottom line.  But the reality is the most significant dollar drain from email fraud is not a hacked system; it’s the people in your email user community. Annually in the US alone, otherwise competent and thoughtful employees lose hundreds of millions of dollars via email phishing attacks.

The human element Is the weakest link in the IT security portfolio. Email can’t be switched off or be manually redirected or censored, it is a fundamental ‘inter’ and ‘intra’ company communication tool, without it, commerce – as we know it – would stop.

It is incumbent then on the IT security professional to consider his/her options carefully when deploying email security and email fraud prevention safeguards. Phishing simulators and awareness training is important but is often done infrequently and is easily forgotten in the hustle and bustle of a stressful workday.  

3 MAJOR SIMULATION SHORTFALLS

Phishing simulation has gained prominence in recent years as a methodology to stress test an email community’s aptitude for phishing detection. Some of the more feature rich phishing simulators can be configured to target specific groups within an organization and content and timing can be tailored for maximum effect. While a novel idea, the true value of these tools is hard to measure.

  1. Firstly, as we’ve discussed above, your organization's email community is a patchwork of personalities and skill sets, some highly technical, others less so. For every user that gets a couple of hundred emails a day, there is another who might get a dozen. The reality is not everyone at your organization is cut out to be an IT security expert. It is impractical to expect that every email user is a sentinel against email fraud. The will might be there, but the technical aptitude may not be.
  2. Secondly, when an email fraud simulation is conducted, and the fake phish is set loose, dozens of environmental, situational and contextual parameters can come in to play when the targeted email users react. A quieter day may illicit more skepticism, or more curiosity to click on a call to action. A heavy email user may ignore it entirely and not report it as it becomes buried in their inbox, a less experienced employee may take it and then feel foolish and demoralized as their actions are highlighted by management in an attack.
  3. Thirdly, email phishing simulation tests stop exactly no phish! Simulations don’t prevent email fraud beyond providing an additional layer of awareness training. While a reasonable level of discipline and security awareness is a fair request for any employee, relying on simulation is unlikely to turn them into email security experts.

At INKY we’ve even seen situations where an IT security team have become so good at creating fake email fraud attempts that their organization starts reporting phantom phish and every email begins finding its way to IT for a safety check.

THE INKY DIFFERENCE

At INKY, we have created a better way. INKY’s Phish fence doesn’t simulate phishing or email fraud; it prevents it. INKY assesses every email received by your organization. With a typical setup time of fewer than 2 hours, INKY is fully compatible with existing SPAM and Malware filters and provides email recipients with a banner - itself a direct non-invasive analysis of each email’s content - serving as both a deterrent and an inline awareness training for the end user.

Our platform is in a constant state of evolution, deploying machine learning and artificial intelligence algorithm’s combined with advanced computer vision that can discern even the most cleverly rendered phishing iconography.

Your employees are best supported by an email fraud prevention platform that recognizes that each email is as unique as they are. Email accounts place a massive amount of risk in the hands of every employee, INKY eliminates that risk and turns even the most tech-challenged associate into a key player in your email security posture.

See if you have been Phished. Take the INKY Phishing Fitness Test.

INKY – Phight Phish

Topics: phishing