After having set some technical practices to reduce exposure of the phishing attack, only one of our two security experts focused on a human-centric approach of the security. Her company understood how essential people are for their security and their human investment will make the difference during this attack… Fortunately she had called Manu before 😉
Discover below in our third chapter « how human can be the strongest link to face phishing threats »!
A story written by Emmanuel Nicaise, our Human-centric Cyber Security Expert, our Storyteller and our famous Manu in the story.
1. Human-Centric Security
Alice knows that Ben’s technical choices are excellent. She has served as a captain in the army, however, and knows full well that wars are won by people, not just with technology. Alice often quotes Helmuth von Moltke: “No plan survives first contact with the enemy”. Cyber threats are evolving too fast nowadays. We cannot expect any technology to be ahead of the hackers. On the other hand, humans can adapt to any new situation if properly trained. This means that we need our staff to change their behaviour accordingly so as to keep them, and us, safe and secure.
Alice has read many books on human management and company transformation. There are so many theories about behavioural changes that she did not know which one to trust. By chance, one of her consultancy firms had developed a framework for managing security while keeping humans centre stage. Their expert, Manu, stems from an academic background with years of experience in IT, risk and psychology. He and Alice got together and drew up a plan. Although a bit too simplified, Manu used the COM-B model to explain one of the bases of his framework.
2. Security Education
One of the most frequent reasons why people do not follow security rules is the lack of the necessary knowledge to do so. All too often, security professionals tend to take basic internet knowledge on the part of users for granted. That is a mistake. A large proportion of our population uses the Internet daily. Nevertheless, technical knowledge, such as the format of a URL and the exact notion of what a domain name is, is not always available. When we ask our users to check the domain name or the URL before clicking on the link, they may not understand what we are referring to.
Alice therefore started by providing training to ensure her users have a basic knowledge of the environment in which they operate. A common and straightforward vocabulary was used to ensure all users could understand the material. In such situations, we often have a tendency to say something like “send a continuous flow of compressed air into the nasal cavity to remove any organic blocking material” instead of saying “blow your nose”. She wanted to avoid such gobbledygook.
3. Measuring success
Alice decided to ask her Red team to perform a phishing simulation. They prepared an email that looked like a press release, with a catchy title “Press Release – Embargo until Monday”. They attached a PDF with a small script, similar to the one used by hackers to download malware, to gauge how many people open the file. They sent it to the entire company on a Friday afternoon. By Monday noon, around 60% of the company had opened the file. Alice was surprised by the results. Was the training useless?
4. Phishing exercises
-
Have you ever driven your car back home and had difficulty remembering how you got there? You were enjoying the music, listening to the news or talking with your passenger while driving at the same time. Having a discussion, understanding the content of an interview and driving are complex actions. However, as we become seasoned drivers, our brain develops automatisms. They enable to perform this complex task with minimum effort, almost involuntarily. That is what we call a heuristic. We can develop heuristics for many activities: speaking, reading, playing the guitar, running, drawing or kicking a ball. An action, a behaviour that we perform regularly can become a heuristic.
-
OK, but what’s the point?
After having use technology and training to react to a phishing attack, it is time to discover how our cyber security experts will act to facilitate detection in our fourth chapter, coming next week.
