Egress has always considered phishing an insider threat – and it’s vitally important organisations also shift to this mindset, so they can invest in resources that truly defend their people against these attacks.
What makes an advanced phishing an insider threat?
When we talk about insider threats, most businesses think about data breaches and security incidents that fall into the following three categories. All these breaches start with a deliberate or accidental outbound action from an insider:
- Accidental data breaches, such as misdirected emails and incorrect attachments
- Non-malicious rule breaking, where employees break process to make their own lives easier e.g. sending work documents to personal email addresses
- Malicious exfiltration, where employees deliberately leak data for revenge or profit
Phishing attacks differ as they always originate from outside your organisation and have inbound ‘bait’ to make people act. And it’s true cybercriminals are ultimately to blame for any negative consequences you suffer – if they didn’t send the phishing email, nothing bad would happen. However, it’s not quite the same as an external system hack, which pits a hacker solely against the technological defences a business has in place.
For phishing to succeed, there has to be an active mistake from an insider. Without human error from an insider, a phishing attack is just an email. This makes it an insider threat.
When it comes to phishing, your human layer really is the last line of defence. And left on its own… it’s not a very effective one.
Why scammers target insiders
Phishing is rigged in favour of the cybercriminals.
Businesses hope that if a phishing email lands in front of an insider, their cybersecurity training kicks in and they don’t fall for it. The problem is they need this to happen every time to avoid a breach. Cybercriminals just need one person to make a single mistake, and their potential payoff is huge.
People are easy targets and scammers know it. Sending phishing emails to humans is far easier than hacking technology; you don’t need advanced IT skills to send an email. For example, ransomware attacks can be devastating, but you don’t need software development or hacking skills to carry one out. Thanks to ‘crime-as-a-service,’ the software itself can be purchased on the dark web, and then in over 90% of cases, it’s delivered into an organisation through email phishing rather than system hacking.
There are also forms of phishing that don’t contain malicious links or attachments at all, making them extremely hard for traditional email security to detect. Highly targeted text-based attacks such as executive impersonation, account takeover and supply chain fraud use social engineering to press on our psychological triggers. These scams can trick people into paying fraudulent invoices or sharing sensitive data with nothing but an urgent subject line and a fake invoice.
There are clearly a lot of phishing strategies cybercriminals use to target insiders. But what’s the actual benefit of classifying phishing as an insider threat? How does it help anyone? The answer is that by acknowledging phishing as an insider threat, we can change (and improve) our approach to fighting it.
A human-focussed solution
Phishing is a human problem, which means it needs a human solution. Some phishing emails will always slip through defences, so at that point, your last line of protection is a human – a person who might be stressed, tired, or just not having their best day. Organisations need to shift their strategies away from hoping these people will either never encounter phishing attacks or always be able to spot them.
If your approach is “How do I make sure phishing never reaches my human layer?” then you need edge technology (secure email gateways) in place that will catch every single phishing email – even the most sophisticated, always-evolving attacks. Unfortunately, that technology doesn’t exist. So when phishing attacks get through, you’re now relying on cybersecurity training and 100% detection rate from your employee. But remember… this game is rigged in favour of the cybercriminals. People make mistakes and they rarely remember all their training.
Instead, you can start by accepting that some advanced phishing attacks will get through your edge solutions. The question now, is “When phishing attacks do reach my human layer, how do I stop that vital instance of human error that brings an attack to fruition?” And then arming employees with the help they need to detect attacks in real time.
This is the human layer security approach.
Protecting insiders from phishing
Egress Defend applies the human layer security approach to every inbound email that reaches your organisation. It uses machine learning and natural language processing to analyse both the content and context of emails. Employees can work with confidence, knowing Defend is in the background, ready to provide traffic-light based prompts in real-time when threats are detected.
It’s like giving every employee their personal cyber expert – an unobtrusive one that works silently, only offering advice when it’s genuinely needed. Defend empowers your human layer to become a powerful first line of defence, rather than a source of insider risk.