Intelligent CIO Africa Issue 25 | Page 76

FINAL WORD Here’s what organisations tell us about the human factor. You could also ask organisations in the region and across the globe. At Cofense, we talk to them every day about effective phishing defence. The following are some of their insights on thwarting attacks on humans by empowering them with the right expertise and tools. until somebody finally picked up the phone and said, ‘hey, is this the right payment to be made?’ And it was blocked.” “What did you do to prevent this?” Referring to constant changes in attack techniques and the need for defensive adjustments, he added, “I’m reminded of a quote from Alice in Wonderland, when the White Queen was saying, ‘In order to keep up, you have to run as fast as you can.’” Let’s start with the head of information security at a Middle Eastern university. A few years ago, after large-scale attacks by nation-state actors on other regional targets, he made human-vetted phishing defence his number one priority, anchored by a rigorous phishing simulation program. Removing phishing emails ‘sometimes in five or 10 minutes’. When he launched the program, users – students, faculty, administrators and anyone else using the network – fell for simulated phish 55% of the time. That number has now dropped to close to 10%, with the number of users reporting bad emails up to 50%. “I don’t think security is going to be improved by the next best technology we put in place, whether it’s an appliance or a firewall or something that blocks at the proxy,” she said. (FYI, Cofense data shows that the energy industry leads the region in phishing reporting – on average, over 16 users report a simulated phish to every user that falls susceptible.) “My mandate was to do everything necessary to protect the university community,” the Head of Information Security reported. “We invested in technological solutions, but with 30 years of IT experience, I know that you need to invest in people, not just processes and technology. You need to make them human firewalls.” He added: “Look at it this way. You can put five locks on your door, but if you leave the keys under the doormat, the locks don’t do much good. Fortifying the human firewall is my utmost priority. The human element is the most important part of your defence.” “Hey, is this the right payment?” The cyber-program director of a multinational utility echoed those remarks. “My CISO often states that if he had to cut all of his budget, down to the bare bones, all that he would choose to spend on would be awareness and response,” he said. “We had a scenario where, all the way up to the CEO, they were ready to make a treasury payment 76 INTELLIGENTCIO consider that a breach could cost six million dollars, that’s a return on investment.” An operational risk consultant with a global financial company shared with us an example of employees helping the SOC stop phishing threats in minutes. “For example, we had a Word document with macros slip through our filters, so we just need to teach the humans that own our email addresses to be extra-vigilant.” She continued: “We see some departments reporting as high as 60%in phishing simulations, but they also report [real] malicious emails that go to our cyberdefence teams – and they get them out of the network sometimes in five or 10 minutes.” “That’s a return on investment.” Noting the futility of investing in technology while users remain untrained, a cybersecurity awareness evangelist at one of California’s largest companies said: “In one corner you’ve got 10 million dollars in defence perimeter equipment and on the other side, of course, you’ve got ‘Dave.’ The last word comes from another global financial company: “To not focus on phishing would be pretty negligent on any company’s part,” said the company’s operational risk consultant. “At the end of the day, if we have a breach it’s probably going to have stemmed from some sort of phishing attack. When our regulators or clients are asking us, ‘What did you do to prevent this?’ it’s important to feel confident that we have an anti-phishing program in place.” She noted that inbox behaviour is ‘easily measurable’. It’s not hard to sustain a phishing defence program because the metrics are simple to gather and use to demonstrate success. In fact, automation makes it even easier, allowing program managers to schedule a year’s worth of simulations in a matter of minutes. Other automated systems enable SOC teams to filter and analyse reported emails quickly, plus remove them from users’ inboxes when verified as threats. Those are smart uses of technology. After all, machines are great at saving time and handling repetitive tasks, saving human brains and intuition for critical decision- making. But if you’re placing all your bets on tech and neglecting the human factor, it’s going to be a long, and very phishy, year. n “A machine cannot apply a non-linear approach to a problem. A machine is just conditioned to do one thing. But a human- being with instinct can make decisions that are a lot more intricate.” His company too relies on employees to report actual phishing threats. “Recently, we saw 33 reported threats come into our IR inbox,” he said. “When you Kamel Tamimi, Principal Security Consultant, Cofense Inc www.intelligentcio.com