With phishing campaigns now the #1 cause of successful breaches, it’s no wonder more and more businesses are investing in phish simulations and cybersecurity awareness programs. These programs are designed to strengthen the biggest vulnerability every business has and that can’t be fixed through technological means: the human factor. One common misconception that may employers have, however, is that these programs should result in a systematic reduction of phish clicks over time. After all, what is the point of investing in phish simulations if your employees aren’t clicking on less phish? Well, a recent report from The National Institute of Standards and Technology actually makes the opposite argument. Phish come in all shapes and sizes; some are easy to catch while others are far more cunning. So, if your awareness program only focuses on phish that are easy to spot or are contextually irrelevant to the business, then a low phish click rate could lead to a false sense of of security, leaving employee’s unprepared for more crafty phishing campaigns. It’s therefore important that phish simulations present a range of difficulty, and that’s where the phish scale come in.
Weighing Your Phish
If phish simulations vary the difficulty of their phish, then employers should expect their phish click rates to vary as well. The problem is that this makes it hard to measure the effectiveness of the training. NIST therefore introduced the phish scale as a way to rate the difficulty of any given phish and weigh that difficulty when reporting the results of phish simulations. The scale focuses on two main factors:
The first factor included in the phish scale is the number of “cues” contained in a phish. A cue is anything within the email that one can look for to determine if it is real of not. Cues include anything from technical indicators, such as suspicious attachments or an email address that is different from the sender display name, to the type of content the email uses, such as an overly urgent tone or spelling and grammar mistakes. The idea is that the less cues a phish contains, the more difficult it will be to spot.
#2 Premise Alignment
The second factor in the phish scale is also the one that has a stronger influence on the difficulty of a phish. Essentially, premise alignment has to do with how accurately the content of the email aligns with what an employee expects or is used to seeing in their inbox. If a phish containing a fake unpaid invoice is sent to an employee who does data entry, for example, that employee is more likely to spot it than someone in accounting. Alternatively, a phish targeting the education sector is not going to be very successful if it is sent to a marketing firm. In general, the more a phish fits the context of a business and the employee’s role, the harder it will be to detect.
Managing Risk and Preparing for the Future
The importance of the phish scale is more than just helping businesses understand why phish click rates will vary. Instead, understanding how the difficulty of a phish effects factors such as response times and report rates will deepen the reporting of phish simulations, and ultimately give organizations a more accurate view of their phish risk. In turn, this will also influence an organization’s broader security risk profile and strengthen their ability to respond to those risks.
The phish scale can also play an important role in the evolving landscape of social engineering attacks. As email filtering systems become more advanced, phishing attacks may lessen over time. But that will only lead to new forms of social engineering across different platforms. NIST therefore hopes that the work done with the phish scale can also help manage responses to these threats as they emerge.
The fear of experiencing a cyberattack is rightfully keeping businesses owners up at night. Not only would a cyber attack give your security team a headache , but could have profound and irreversible financial implications for your businesses. In fact, according to a report by IBM and the Ponemon Institute, the average cost of a data breach in the U.S. is a over $8 million. And with 30% of companies expected to experience a breach within 24 months, it’s no surprise that business are seeking coverage. The problem, however, is that businesses and insurance companies alike are still grappling over exactly what is and is not covered when a cyber event occurs.
Some businesses are learning this the hard way
Recently, a phishing campaign successfully stole the credentials of an employee at a rent-servicing company that allows tenants to pay their rent online. The phishers used the employee’s credentials to take $10 million in rent money that the company owed to landlords. The company had a crime insurance policy that covered losses “resulting directly from the use of any computer to fraudulently cause a transfer,” but soon found out their claim was denied. Among the reasons the insurer gave for denying the claim was that, because the funds stolen were owed to landlords, the company did not technically suffer any first-party losses and there were not covered by the insurance policy.
In another case, the pharmaceutical company Merck found itself victim to a ransomware attack that shut down more than 30,000 of their computers and 7,500 servers. The attack took weeks to resolve and Merck is now claiming $1.3 billion in losses that they believe should be covered by their property policy. The problem, however, is that the attack on Merck was actually a by-product of a malware campaign that the Russian government was waging against Ukraine and happened to spread to companies in other countries. The insurer therefore denied the claim, stating their property coverage excludes any incidents considered an “act of war.”
Silence is Deadly
The Merck example above also illustrates the concept of “silent”, or “non-affirmative” cyber. Basically these are standard insurance lines, like property or crime, in which cyber acts have not been specifically included or excluded. Merck was filing the claims against the property policy because it sustained data loss, system loss and business interruption losses. Silent cyber is difficult for a carrier to respond to (which is why the carrier in this case is looking to the war and terrorism exclusion to deny coverage) and even more challenging to account for. That’s one reason both carriers and businesses are looking to standalone cyber insurance, which provides both the insured and carrier with a lot more clarity as to what is covered. (Although, carriers can deny coverage in situations where the attestations about the quality of security up front do not measure up at claim time.)
Predicting the Unpredictable
It’s commonly said that insurers will do anything to avoid paying out claims, but the issue with cyber insurance coverage goes much deeper. Instead, the problem centers around a number of uncertainties involved in categorizing and quantifying cyber risk that makes comprehensive policy writing a near impossible task. For one, cyber insurance is a new market dealing with a relatively new problem. There are therefore not as many data points for insurers to accurately quantify risk as there are for long-standing forms of insurance.
The real problem, however, is that cyber incidents are extremely difficult to predict and reliably account for. Whereas health and natural disaster policies, for example, are based on scientific modeling that allows for a certain degree of stability in risk factors, it is much harder for insurance companies to predict when, where, and how a cyber attack might happen. Even Warren Buffett told investors that anyone who says they have a firm grasp on cyber risk “is kidding themselves.”
Reading the Fine Print
It’s important to understand that, despite the relatively unpredictable nature of cyber incidents, there are plenty of steps businesses can and should take to understand and mitigate their risk profile. Organizations with robust risk management practices can significantly reduce their vulnerability and a strong security posture goes along way towards minimizing their risks and providing a strong defense when a claim strikes.
Unfortunately, this puts a lot of the responsibility on individual businesses when evaluating their cyber exposures and the insurance coverages which might be available to respond. A good insurance broker who has expertise in cyber is essential. Much like the threat landscape, cyber insurance coverage is constantly evolving, and it is to all parties, from businesses to carriers, to keep up.
We’re number one! (Oh, that’s not a good thing?)
Yes, sometimes it’s better not to be recognized. Especially if it’s in the Verizon 2020 Data Breach Investigations Report which shows new and emerging trends of the cyber threat landscape. Anyone who is anyone in cyber wants to get their hands on it as soon as it’s published (and we are no exception). As has been for many years, one of the key reasons behind data breaches involves what we do (or don’t do). In fact, this year’s report shows that 3 out of the top 5 threat actions that lead to a breach involve human’s either making mistakes or being tricked. Below is a closer look at those 3 threat actions, and the human factors they rely on.
In this year’s report, phishing attacks lead the cyber threat pack for successful breaches. It it also the most common form of social engineering used today, making up 80% of all cases. A phish attacker doesn’t need to rely on a lot of complicated technical know-how to steal information from their victims. Instead, phishing is a cyber threat that relies exclusively on manipulating people’s emotions and critical thinking skills to trick them into believing the email they are looking at is legitimate.
One surprising aspect of the report is the rise of misdelivery as a cause of data breaches. This is a different kind of human factored cyber threat: the pure and simple error. And there is nothing very complicated about it: someone within the organization will accidentally send sensitive documents or emails to the wrong person. While this may seem like a small mistake, the impact can be great, especially for industries handling highly sensitive information, such as healthcare and financial services.
Misconfigurations as a cause of data breaches is also on the rise, up nearly 5% from the previous year. Misconfigurations cover everything security personnel not setting up cloud storage properly, undefined access restrictions, or even something as simple as a disabled firewall. While this form of cyber threat involves technological tools, the issues is first and foremost with the errors made by those within an organization. Simply put, if a device, network, or database is not properly configured, the chances of a data breach sky rocket.
So What’s to Stop Us?
By and large we all understand the dangers cyber threats pose to our organizations, and the amount of tools available to defend against these threats are ever-increasing And yet, while there is now more technology to stop the intruders, at the end of the day it still comes down to the decisions we make and the behaviors we have (and which are often used against us).
We know a few things: compliance “check the box” training doesn’t work (but you knew that already); “gotcha” training once you accidentally click on a simulated phish doesn’t work because punitive reinforcement rarely creates sustained behavior change; the IT department being the only group talking about security doesn’t work because that’s what they always talk about (if not blockchain).
Ugh. So what might work? If you want to have sustained cybersecurity behavior change, three things + one need to occur: 1) you need to be clear regarding the behaviors you want to see; 2) you need to make it easy for people to do; 3) you need people to feel successful doing it. And the “+ one” is that leadership needs to be doing and talking the same thing. In other words, the behaviors need to become part of the organizational culture and value structure.
If we design the behaviors we want and put them into practice, we can stop being number one. At least as far as Verizon is concerned.
Remember the sales contest from the movie, Glengarry Glen Ross?
“First prize is a Cadillac Eldorado….Third prize is you’re fired.”
We seem to think that, in order to motivate people, we need both a carrot and stick. Reward or punishment. And yet, if we want people to change behaviors on a sustained basis, there’s only one method that works: the carrot.
One core concept I learned while applying behavior-design practices to cyber security awareness programming was that, if you want sustained behavior change (such as reducing phish susceptibility), you need to design behaviors that make people feel positive about themselves.
The importance of positive reinforcement is one of the main components of the model developed by BJ Fogg, the founder and director of Stanford’s Behavior Design Lab. Fogg discovered that behavior happens when three elements – motivation, ability, and a prompt – come together at the same moment. If any element is missing, behavior won’t occur.
I worked in collaboration with one of Fogg’s behavior-design consulting groups to bring these principles to cyber security awareness. We found that, in order to change digital behaviors and enhance a healthy cyber security posture, you need to help people feel successful. And you need the behavior to be easy to do, because you cannot assume the employee’s motivation is high.
Our program is therefore based on positive reinforcement when a user correctly reports a phish and is combined with daily exposure to cyber security awareness concepts through interactive lessons that only take 4 minutes a day.
To learn more about our work, you can read Stanford’s Peace Innovation Lab article about the project.
The upshot is behavior-design concepts like these will not only help drive change for better cyber security awareness; they can drive change for all of your other risk management programs too.
There are many facets to the behavior design process, but if you focus on these two things (BJ Fogg’s Maxims) your risk management program stands to be in a better position to drive the type of change you’re looking for:
1) help people feel good about themselves and their work
2) promote behaviors that they’ll actually want to do
After all, I want you to feel successful, too.
In October, the FBI warned that ransomware attacks are becoming “more targeted, sophisticated, and costly.” Now, a new survey shows that small business are baring the brunt of these attacks, with 46% reporting that they have been targeted.
Ransomware is a form of cyber attack in which the attacker steals or encrypts the victim’s data and demands payment in order to regain access to that data. The new survey highlights two issues that small businesses in particular at a high risk for further attacks and even irreparable data loss.
1. No Data Protection in Place
Perhaps the most troubling trend the survey found is that 20% of small business do not have data protection systems in place. Using solutions such as data backup or disaster recover tools are essential for a variety of potential issues, but especially for ransomware. According to Russell P. Reeder, the CEO of the company behind survey, “every modern company depends on data and operational uptime for its very survival…Data protection and operational uptime have never been more important than during the unprecedented times we are currently facing.”
With a strong backup system that is tested regularly, small businesses faced with a ransomware attack are in better position to recover their data without succumbing to the demands of the attackers. Without proper data protection systems in place, however, businesses are left in the hands of the bad guy, with no other means to recover their data. And the truth is, the more small businesses that leave themselves unprotected, the more they will be targeted. Ransomware attackers are looking for easy money, and are therefore far more likely to target those who leave themselves the most vulnerable.
2. To Pay or Not to Pay
The survey also found that a whooping 73% of small businesses targeted by ransomware opted to pay the ransom in order to get their data back. One reason for this is that, if a business does not have proper data protection in place, the cost to restore data may end up being more costly than simply paying the bad guys. However, this solution is misguided on a number of fronts.
First of all, there is no guarantee that paying the ransom will result in regaining all or even any of the data stolen. The survey found that 17% of those who paid the ransom did not recover all of their data. Secondly, paying the ransom is a short-term solution to a long-term problem. Paying the ransom signals to attackers that they can squeeze money out of that business in the future. Reporting by ProPublica also found ransomware payments were substantially lower than they are now, and that the number of businesses willing to cough up the dough has led to an increase in the price of the ransom.
Prevent and Defend
In order to defend against ransomware attacks, small businesses should first and foremost ensure they have strong data protection solutions in place. However, this is only one piece of the puzzle. Taking measures such as awareness training can help prevent these attacks in the first place. Ransomware attackers often gain access to systems through malware installed via phishing campaigns. If you and your staff are properly trained to spot deceptive practices, you already have a leg up on the bad guys. Attackers also hope that their victims will panic and make rash decisions. There is no question that falling victim to ransomware is scary stuff, but taking a few breaths, reviewing your options, and responding rationally might help keep your money and data in your hands and prevent further attacks from taking place in the future.