I want to talk to you about Peter. He’s a new hire at your company, having joined a couple of days ago. He can just about remember the names of his teammates. The HR Manager has told him to look out for an email so that he can create an account on the company’s employee portal. As expected, he receives an email and clicks on the link provided to enter his credentials.
What Peter doesn’t realize is that the email is actually a phishing attack and cybercriminals are already harvesting his credentials in order to take over his account.
And once they’re in, they move fast!
Within minutes, the threat actors are spoofing thousands of your customers, many of whom call in with concerns, complaints and even expectations of terminating the relationship. As the Security leader, you are then buried in urgent questions from leadership while Risk and Compliance teams begin the investigation and clean-up operation.
With the organization locked in downtime, Peter is informed of his error. And if that’s not bad enough, the hack hits the headlines a couple of days later.
People get hacked
The sad truth is that people like Peter regularly get hacked by what are now highly sophisticated and targeted attacks, such as spoofs, time-based attacks, and supply chain compromise. And that’s despite the Secure Email Gateways (SEGs), continuous security awareness training, and phishing simulations that we put in place to mitigate the threat.
I was chatting with a CISO within Financial Services only last week who pointed out that the types of threats we’re now seeing are simply too sophisticated for the legacy technologies and solutions that we currently have in place. SEGs have performed admirably when dealing with spam and malware, but we now live in a world where crime-as-a-service is pushing the boundaries of attack sophistication, and threats are inevitably slipping through these legacy detection techniques.
However, it was his comment on security awareness that really stuck with me. He feared that most training programs (though well meaning) fall short because they actually end up treating employees as the problem, essentially telling them that they are the company’s biggest risk and that they need to be loaded with additional information to stop being such a threat. And this had now been engrained in most work cultures.
Transforming people into your first line of defense
My conversation with that CISO confirmed my thinking that we need to stop seeing our people as the problem. On the contrary, they are a huge part of the solution if we can augment existing training efforts and empower employees with the right technology.
In a with us, Rachel Wilson, Managing Director and Head of Cybersecurity at Morgan Stanley Wealth Management, noted that her employees are without doubt her first, second and third lines of defense against cybercrime: “But the onus is on us as Security leaders to implement controls that make it as difficult as possible for employees to make mistakes without impeding them in their jobs.”
Technology can really play a critical role here. The vision needs to focus on creating cybersecurity advocates within your business and using technology in a way that engages with employees to inform, assist and prevent a security breach. It’s not about doing everything at the network edge; it’s about interacting with people so that we can build a culture of cybersecurity awareness.
Active, in-the-moment learning
The challenge is that legacy detection solutions provide no explanation as to why there’s a threat. In effect, users are bubble-wrapped and actually become even more vulnerable to inbound attacks.
More and more companies within our community are now taking a different approach, applying technology to the human layer that offers simple, clear and unobtrusive guidance in real-time. The tech not only highlights a risk but also explains why, meaning people like our friend Peter can actively learn in the moment to identify security risks themselves.
That way, we’re building a culture of cyber resiliency and transforming our people into a security asset that helps in the fight against the cybercriminals, rather than being perceived as an organization’s biggest risk.
Real-time education and security in action
Egress Defend uses machine learning and natural language processing capabilities to analyze both the content and context of every email entering your organization. It works silently in the background, detecting even the most sophisticated phishing tactics. Users are alerted with heat-based banners, explaining why an email has been flagged.
So while users are prevented from clicking any malicious links or replying to scammers, they’re also given the opportunity to learn and understand which phishing tactics have been used against them. This creates a truly secure human layer, with increased cybersecurity knowledge for employees, and the protective safety net of a powerful anti-phishing solution.
Learn more about how Egress Defend can secure your human layer here. Or if you’d like to give it a try for yourself, we’ll happily set you up with a no-strings-attached demo. And if you want to learn more about the human stories behind breaches like Peter's, check out Only Human.