santiago silver - Fotolia
A decade before he would investigate claims Russian hackers used phishing attacks to interfere with the 2016 presidential election, Robert Mueller was already warning Americans to think before they click. In a 2009 speech at a nonpartisan public affairs forum in San Francisco, the then-FBI director shared a cautionary tale with lasting relevance -- one that underscores the importance of security awareness training for all, in the enterprise and beyond.
"Not long ago, the head of one of our nation's domestic agencies received an email purporting to be from his bank," Mueller told the Commonwealth Club of California. "It looked perfectly legitimate and asked him to verify some information."
The official started to comply, Mueller said, before realizing he was just a few clicks from sending sensitive personal data directly to cybercriminals.
"This is someone who spends a good deal of his professional life warning others about the perils of cybercrime, yet he barely caught himself in time," Mueller continued, adding that the hapless target definitely should have known better. "I can say this with certainty, because it was me."
The FBI director described the encounter as a learning experience, joking that his wife suspended his online banking privileges after the close call. But not everyone escapes phishing attacks unscathed. Just one overly trusting end user can unwittingly cost an organization millions of dollars with just a few innocent clicks of a mouse.
Following a 2015 data breach that left 79 million patient records compromised, for example, U.S. health insurance company Anthem Inc., agreed to pay a $115 million class-action settlement and a $16 million HIPAA settlement. The attackers reportedly gained access to the Anthem network by tricking at least one worker into engaging with a phishing email.
In fact, according to Verizon Communications Inc.'s "2019 Data Breach Investigations Report," 94% of malware in 2018 was delivered via email, and one in three data breaches involved social engineering -- the manipulation of employees into providing information, access or both, usually via phishing attacks. The importance of security awareness training lies in its ability to build end users' internal alarm systems so that -- like Mueller -- they pause and reconsider before handing cybercriminals the keys to the castle.
"Basically, we want people to think," said Linda McGlasson, information security awareness lead at Relativity, an e-discovery software company. "We don't want them clicking willy-nilly."
She added that the value of continuous IT security awareness training far outstrips the typical one-and-done sessions that many enterprises offer during new-employee onboarding sessions.
"You've got to build that mental muscle," McGlasson said. "You don't go to the gym just once a year and expect to have a six-pack. It's hard work."
Testing the waters: Practice makes perfect
As part of Relativity's dedicated cybersecurity team -- known as Calder7 -- McGlasson has helped develop a multipronged IT security awareness strategy that prioritizes ongoing learning for all employees. First, new hires learn about company policies and best practices in a video-based online course -- created in-house and delivered via the Workday platform -- and review and sign the organization's acceptable-network-use policy.
The security team also shares relevant educational content, organizational updates and security news via both dedicated Slack channels and an internal monthly newsletter.
Linda McGlasson Security awareness lead, Relativity
"To get that kind of information out in front of people and continuously set expectations really helps," McGlasson said.
Additionally, it has embedded a report phish feature within Relativity's email application, which allows employees to easily and efficiently flag possible scams. A worker can click the button to automatically forward a suspicious message to the security team for incident response. "When in doubt, send it out," McGlasson urged.
Relativity also recently rolled out an IT security awareness simulation program that puts employees' ability to spot suspicious messages to the test. Working with an unnamed vendor -- the same one that provides Relativity with its email filtering software -- McGlasson's team designs mock-phishing campaigns based on recently intercepted, real-world examples.
She said that by Relativity's third simulation, the companywide fail rate -- the percentage of recipients who click through the emails -- dropped dramatically.
"We also had several hundred people report the email via the little phish button, which is really great," McGlasson added.
Catch and release: Avoid 'gotcha' messaging
Nicholas Davis, CISO for the University of Wisconsin System, pioneered a similar program at The University of Wisconsin-Madison (UWM) in 2011, using Barracuda Networks' PhishLine program. Starting with a basic, soft-pitch campaign, emails appearing to come from a "Nigerian prince in distress" netted a click rate of just 0.2% -- a promising indication that the university's basic security awareness training was working.
Next, they moved on to more sophisticated messaging, with an email that featured a picture of Bucky Badger -- the UWM mascot -- inviting end users to test their system password's integrity using an online "Bucky Badger Password Strength Checker." In this campaign, the click-through rate jumped to 18%. Another phishing simulation -- featuring an email that appeared to come from United Parcel Service Inc. (UPS), along with a supposed tracking link -- convinced 21% of users to respond.
"It's basic human instinct to click on these things, and sometimes they are quite good -- especially if they are socially context-aware," Davis said. Users that accept UPS shipments as part of their jobs, for example, would likely be particularly vulnerable to a UPS-specific phishing campaign.
The simulation links took users to educational webpages with advice on how to avoid falling for similar scams in the future. Critically, they also offered unambiguous reassurance that employees had done no harm by clicking on the email -- and they would not be identified individually or punished in any way.
"When you engage with end users, you can't just use this as a 'gotcha' opportunity," Davis said. "That's just going to create hostility in the environment. You want them to learn from the experience, feel good about it and walk away knowing we're all in this together."
After the first few campaigns, Davis added, people seemed to actually start enjoying the challenge of recognizing and ignoring the simulated phishing emails. He said the program -- which has since expanded across the University of Wisconsin System -- has strengthened overall faculty and staff morale.
"Employees are more confident in themselves now," Davis said. "Overall, it helps create great peace of mind across the institution. And it's saved us a ton of time and money in terms of preventing malware incidents. "
Continuous training, continuous learning
Educational phishing simulations have the added benefit of generating organization-specific data to inform future IT security awareness training initiatives. McGlasson found, for example, that a high percentage of Relativity employees who fell for simulated phishing emails opened them on their cellphones. In response, she is now assembling a new set of mobile-specific security awareness training materials.
The Verizon data breach report similarly suggested smartphones and tablets might make users more vulnerable to phishing attacks, accounting for 18% of clicks in simulated campaigns, across aggregated data from multiple IT security awareness training vendors. For the sake of user experience, mobile operating systems and apps often show simplified email displays, with prominent action-oriented GUI elements -- such as reply, send, etc. -- making it both harder to vet a suspicious message and easier to engage with it. The report added that small screen sizes and user distraction also contribute to relatively high fail rates.
Overall, however, Verizon found that clicks in phishing simulations declined in 2018 -- at 3%, down from roughly 25% in 2012. Still, Davis stressed the abiding importance of security awareness training, even as user savvy grows.
"This has to be continuous reinforcement," he said. "People tend to forget and go back to their old habits, so you need to do this on a continual basis -- once a month, once every six weeks, whatever it may be -- and make sure that you're always keeping it in the front of people's minds."
He added that some messages will appeal to certain cross-sections of users more than others -- accounting staff or administrative assistants, for example -- but taken as a whole, the simulations should put everyone to the test.
"When you look at our series of campaigns over the past eight years or so, no particular group stands out as being more vulnerable to phishing attacks than others," he said.
After all, McGlasson added -- if it can happen to the director of the FBI, it can happen to anyone.
"Everyone is a target," she said.