Opinion: Fight phishing without blaming victims
Criminal hackers are skilled at crafting fake e-mails that dupe recipients. But instead of blaming the employees who click links that infect computers, organizations should work harder to fortify their networks.
Bogus e-mails designed to trick recipients into clicking malicious links are increasingly common. For criminal hackers, these so-called "phishing" messages are an effective tool for breaching an organization's online defenses, successfully penetrating large-scale organizations and striking single, high-value targets.
But the way to solve this problem isn't by blaming victims who click links within nefarious e-mails. Unfortunately, that's what the chief information security officer for the Department of Homeland Security, Paul Beckman, is proposing.
He wants to revoke security clearances for employees who routinely fail phishing tests, saying that continuing to flunk such tests shows a lack of responsibility when it comes to handling top-secret information.
Yes, antiphishing training is effective. But only to a certain point. Training can reduce the number of malicious links that get clicked on within an organization but it will never eliminate the threat. Criminal hackers are crafty, and there will always be that perfectly designed e-mail that'll fool even the savviest recipient. So, if your security policy is to rely 100 percent on antiphishing training, you’re about to have a very bad day.
Thankfully there are plenty of techniques organizations can use to defend against phishing that do not involve shaming victims. Companies and government agencies should ensure patch levels are up to date so that bad guys would be forced to use a previously unknown – or "zero day" – vulnerability to penetrate the network. That's often an effective deterrent.
Organizations can also limit employee network access to only those resources essential for their jobs. That way an attacker can't use an employee's credentials to infiltrate the entire network.
Updated antispam technology will also stop most mass e-mail attacks. If attackers do get through, a properly segmented network will stymie their ability to deeply penetrate the network. Continuous monitoring of the network will help, too. And, once and for all, enable two-factor authentication.
But all too often companies and cybersecurity firms focus on just stopping phishing. Entire companies exist to conduct phishing tests against employees to see how susceptible they are to this social engineering attack.
Don't get me wrong, phishing is a big problem. Recent studies have pegged the cost of phishing attacks against the average 10,000-person company at $3.7 million dollars per year.
Let's face it, employee will make mistakes when it comes to e-mail just like they'll make mistakes in other aspects of their jobs.
But focusing too much on this attack vector, the cybersecurity industry is ignoring all of the other basic safety measures we should be deploying.
While the National Counterintelligence and Security Center recently launched a phishing campaign called "Know Your Risk, Raise Your Shield," I just hope this campaign is not at the expense of other basic security fundamentals.
C. Thomas (aka Space Rogue) is a strategist at the cybersecurity firm Tenable Network Security. You can follow him on Twitter @SpaceRog.