Creating a Vaccine for Phishing Attacks

Creating a Vaccine for Phishing Attacks

Another day another phishing story.  According to reports a scammer recently sent out emails to a Texas school district posing as one of the district’s vendors and requested a series of payments. One month later, the district realized they had been conned out of $2.3 million. 

Unfortunately, stories like these are increasingly common 

Not unlike propaganda, social engineering and phishing campaigns are forms of attack that rely primarily on deception and disinformation. Defending against these attacks therefore requires more than technical defenses. Instead, it’s necessary to look at strategies used to combat disinformation in general.  

A Vaccine for Social Influence

Inoculation theory is one such strategy and has been gaining steam recently. The main premise of the theory is that the best way to defend against manipulation and unwanted influence is through exposure to the influence in a smaller, weaker form. Exactly like a vaccination.  

In general, the application of inoculation theory involves three basic elements: 

Threat 

The first step is so obvious that it’s can be easy to overlook. If you want to defend against a threat, you first need to be aware that the threat exists.  For instance, if your employees don’t know what a phish is, they are far more likely to get tricked by oneOne study found that the simple awareness that a threat exists increases the ability to combat it, even when they weren’t given the tools to fight it.  

Refutational Preemption

Refutation preemption is a fancy phrase, but, in the metaphor of the vaccine, it simply stands for the weak strain of a virus or threat. The idea is to introduce someone to faulty messaging that stands in opposition to what they usually hold to be true. By being exposed to a weaker version of the messaging, the person receiving the message will be able to learn how to argue against it and strengthen their own beliefs. Then, when they encounter a similar but stronger message in real life, they will have already developed the tools needed to combat it.  

Within the context of phishing schemes, this would involve presenting someone with examples of phishing emails asking them to identify the methods used that make the email seem real. Another method is to have participants create their own phishing emails to get them to know what is involved in creating a deceptive message.

Involvement

The final element of the theory simply states that the more someone cares about an issue, the easier it will be for them to defend against a threat to that issue. So, when it comes to phishing, if your employees understand and care about the stakes involved with a phishing attack, they will be in a better position to spot them. Essentially, the more vested interest someone has in defending against an attack, the easier it will be for them to do so successfully.  

Putting Inoculation Theory into Practice

With the rise of socially engineered threats, inoculation theory has seen a bit of a resurgence lately. For instance, researchers at Cambridge University created the simulation Get Bad News, a game that uses inoculation theory to combat false or misleading news articles.  

And it doesn’t take a big leap to see how inoculation theory can be useful for cyber security threats, such as phishing campaigns. By combining education with simulated phishing attacks, businesses can use inoculation theory to: 

  1. Using education tools to raise employees’ awareness of the threat phishing attacks pose. 
  2. Expose employees to simulations of phishing attacks and have them proactively respond to it by reporting potential phish. You can even have employees create their own phish. Like Get Bad News, this will further inform participants of common tactics used in social engineering schemes.  
  3. Create a program that keeps employees engaged in the process. Focusing on positive reinforcement over punishing mistakes, for example, will help encourage participants to take the process seriously. 

Inoculation Theory At Work

Our digital awareness program The Phishmarket™uses inoculation theory in various phases throughout the program. Our phish simulations uses a reporting feature that empowers participants to be actively involved in combating phishing attacks and rewards progress instead of punishing mistakes. 

The Phishmarket™ also includes an online training program that uses daily micro-lessons to teach participants about common and emerging methods used in social engineering schemes. Some of the micro-lessons even asks users to try creating their own phish.  

Want to try it out for yourself? Simply follow this link to test out a preview of the training program and create your very own (fake) phishing campaign.  

Cyber Resiliency is the New Cyber Security

Here is the bottom line: when it comes to cyber threats, wshould of course take steps to protect ourselves and our businesses from attacks. However, we also need to prepare ourselves for the very real possibility that, at some point, someone will get into our systemsThat’s why many cyber experts are beginning to use the new term “cyber resiliency.”  

The concept of cyber resiliency stems from an understanding that the cyber threat landscape is so diverse that it’s important to make sure you can withstand and not simply prevent attacks. The overall goal of a cyber resilient system is therefore to maintain essential operating functions even when it is under attack. 

The Basics of Cyber Resiliency 

In the fall, the National Institute of Standards and Technology (NIST) released a cyber resiliency engineering framework that provides detailed steps organization can take to minimize the impact of attacks. However, the overall framework can be broken down into four basic goals: 

1. Anticipate 

According to the NIST framework, the first goal of cyber resiliency includes preventative measures often included in cyber security policies. However, anticipating a cyber threat goes beyond prevention by also focusing on preparing for an attack. This includes having an incident response plan in place, as well as changing your system often in order to preempt attacks.

2. Withstand  

Withstanding a cyber attack should involve steps taken to limit the overall damage an attack has, even if you haven’t detected the attack yetIn general, this involves deflecting the attack to areas that can take the most damage without disrupting day to day activitiesYou should also be prepared to entirely remove and replace systems that are badly damaged. 

3. Recover 

Before an attack even happens, you should know exactly how you plan to recover if one ever happens. This should primarily involve being prepared to revert your systems back to the state they were in before the attack. Recovery strategies will therefore depend heavily on having good backups of your system that you test regularly

4. Adapt 

At bottom, adaption means understanding that if the threat landscape continues to change, so do your security policies and systems. You should constantly be looking for new vulnerabilities within your system as well as new forms of cyber threats.  If an attack does happen, you should also be willing to take a hard look at how it happened and make changes accordingly.  

Leaders are best equipped to drive cyber resiliency efforts 

It is important to understand that these four cyber resiliency goals were designed to encourage communication between leadership-level business risk management strategies and the rest of the organizationWe’ve written before about the importance of proper governance and business leadership when it comes to cyber security and the same goes for cyber resiliency.  

Because many executives don’t come from a background in cyber security, it may seem to make the most sense to leave the responsibility to the IT department or someone trained security. However, cyber resiliency is as much a function of culture as anything: how we govern, organize, and communicate about cyber threats are all necessary considerations for putting cyber resilient policies into action.  

That’s why Accenture Security’s 2019 State of Cyber Resiliency Report emphasizes the three skills business leaders have that make them essential to any cyber resiliency policy:  

Scaling

The report found that leaders who scaled technologies and security systems across all levels of the organization were far more effective at both preventing attacks and discovering attacks already in place.  

 

Training 

 

Offering comprehensive security training across all levels of the organization also proved to be an effective method for protecting and maintaining system during cyber attacksBusiness leaders are therefore key for investing in and maintaining robust training programs.  

 

Collaborating 

 

Perhaps the most important skill a business leader brings to cyber resiliency is the ability to collaborate. Putting in place a cyber resiliency policy requires cooperation and communication between all levels and aspects of the business. By bringing different groups together and keeping everyone on the same page, organizations can be confident their policies and practices are as effective as possible.  

The Take Away

At its root, cyber resiliency involves preparing all aspects of an organization so that any potential cyber threat has a minimal impact on business operations. This involves well-informed risk management strategies, effective communication and training for employees, updated intrusion detection systemsand a strong incidence response plan that is tested and revised regularly. Cyber resiliency takes a village but depends first and foremost on leadership team that takes the task seriously. 

Reducing the Privacy Trust Deficit

A while back, when I ran an Insurance brokerage, a good friend of mine who owned a mid-size company said, “you know Doug, when it comes to insurance the one thing I’ve learned is that the insurance carriers are only out to [bleep] us.”  I can only imagine what CEO clients who weren’t my friends were saying.

However, when you are selling an intangible, like insurance, you are immediately starting with a trust deficit between you and your prospect.  And it’s that deficit you need to overcome before you can hope to make a sale.

Privacy is an intangible, as well.  You can’t see it.  You can’t touch it.  It’s a concept, a concept that is closely tied to our sense of ourselves and the freedom to express and “own” our identity as we choose.  And, like other intangibles, companies have a trust deficit which they need to overcome if they want to establish strong customer relationships.

The need to bridge the trust deficit is a theme coming from a recent survey on consumer attitudes towards privacy that Deloitte has just released.  As the article states, over two thirds of consumers believe their data is used primarily for target marketing and over half believe the data is shared with third parties.  And, ironically, despite increasing privacy legislation, only 22% of companies are aligning their privacy requirements with business strategy.

This is an epic fail on two fronts:  1) misalignment of privacy compliance with strategy will inevitability result in the sub-optimal compliance measures which open the organization to regulatory action; 2) misalignment of privacy with strategy keeps the organization from taking advantage of a huge opportunity to leverage privacy as an asset to develop stronger customer relationships and propel growth.

For companies that want close the Privacy Trust Deficit, increase market share and improve operational and regulatory compliance, they can start with four steps:  1)  Define the company’s desired relationship with its customers; 2)  Outline privacy requirements as minimally defined by regulation and maximally defined by the company’s desired relationship with its customers; 3) Create a customer data and engagement map which defines how,, why and what the company does with its client data; 3)  Express each point of the data and engagement map in terms of a repeatable behavior with a quantifiable outcome that both leverages and enhances privacy and customer value; 4) Communicate and be transparent of the privacy-related behaviors the company is doing at the same time it is doing them.

Applying these steps will help align privacy with business strategy, minimize the privacy trust deficit and enable the organization to take market share from it’s competitors who view privacy as a compliance objective as opposed to a strategic opportunity.

 

Cyber Awareness 4 mins at a time

Last week we announced our new Behavior-Designed Cyber Awareness ProgramOne part of that program will be a structured phish simulation campaigns; another part of the program is series of courses on a broad range of topics related to digital awareness, appropriate security practices, and behavioral biases which impact susceptibility to phishing emails and other forms of social engineering. Each course contains a number of micro-lessons designed to take only a few minutes — typically around 4 minutes — to complete. The intent of each course, in addition to the phish simulations that will run concurrently, is to give participants the tools they need to recognize and modify their online behavior in order to maintain a safer and healthier digital presence.  

Soon we will be rolling out the entire program, but for now we want to offer a sneak peak of what’s to come. Right now we are offering a free preview of a course on phishing attacks and how to spot them. If you want to try it out click here and enroll now for free 

And, if you haven’t already, you can check out a review of our new program published as a part of the Stanford Peace Tech Lab. 

Behavior-Designed Cyber Awareness — A New Program

For the Past Year, Designed Privacy has been working to integrate behavior design into the cyber awareness process. Through a series of testing, we have created a CyberAwareness Program which we are launching this Fall.  The Program not only shows strong results in reducing phish susceptibility, the behaviors it’s designed to create show the potential to both mitigate digital disinformation efforts and get people to collaborate on reinforcing secure behaviors, whether in the office, at home or with clients and vendors.

In addition, we are extremely pleased to have process and results published by the Peace Innovation Lab at Stanford.

After a year of testing three things are clear:
1). Cyber awareness without behavior change is a waste of time, money and energy;
2). Behavior changes occurs through a combination of ease, prompting and positive reinforcement. People are more apt to change behaviors when they see a positive WIIFM.
3). Behavior-designed cyber awareness not only leads to reduced phish susceptibility, but it also has the potential to lead to better organizational decision making, especially as we are relying more and more on digital information to make those decisions.

In a world of phishing, online scams,  deepfake video and content, and the weaponization of social media, we all need to develop behaviors to help us determine what is real and what is not if we want to be secure, make sound decisions and feel that we still have the space where our choices are our own.

Please read the Stanford Peace Innovation Lab article here.

2.4 Billion

That’s the number of records that, according to Identity Force, have been accidentally exposed since the beginning of the year.

In other words, someone misconfigured their systems to provide access to unencrypted data or accidentally emailed them to the wrong person.

And that does not include the hundreds of million of records that were exposed on Facebook this year.

Pogo had it right.  I see the enemy and he is us.

 

 

 

 

 

 

Making it Real

I just finished working on a cybersecurity policy for a relatively small dental practice in a large midwestern city.  The practice’s IT consultant with whom I was working was pleased with the results and said that this Practice was now “miles ahead of the other dental practices” in terms of its cybersecurity posture.  That many of the Practice’s competitors had “one or two” pieces of paper to describe their cybersecurity posture which he said was “one or two pages longer than it needed to be” to describe the security they actually had in place.

 I guess we shouldn’t be surprised.  Despite the headlines about data breaches or regulatory fines or lost revenue, cybersecurity for many firms remains an abstraction.  And when you are focused every day on real issues with customers, patients and staff, abstractions come last.

 The way to encourage businesses to focus on either risk or opportunity is to make the abstraction real and to provide an game plan which brings value to all who are involved.

 Making It Real

 In order to “make it real” for the business, you need three things:  1) a compelling (and simply told) story with characters in the story similar to audience; 2) a financial picture of the situation; 3) a happy ending.   Cybersecurity tells a lot of stories, almost all of which are fear-based.  That’s engaging to a point, put often the fear doesn’t seem relevant and it is out of context with the situation.  It’s scary to think Equifax can be breached and 147 million records were exposed, but what does that have to do with my Dental Practice?  If you tell me a story about a ransomware attack on a dental practice which cost the business $500,000 and that I have a 10% chance of experience a $20,000 ransomware loss and a 90% chance of a $1,000,000 loss, I have something to understand.  Then if you tell me that if a do A, B and C I can reduce my probabilities better than half, I see a happy ending.

 Bringing Value

 Someone once told me that the way they view cybersecurity regulation is like a law which states that if a thief breaks into a house and steals stuff, the homeowner is arrested.  Cybersecurity has been framed as a protection against the financial impact a business incurs when bad guys do something to us.  That creates a friction in our mind and pushes us against wanting to invest in something to protect against something that we wouldn’t do ourselves.

Instead, cybersecurity should really be framed in terms of reputation and brand.  It’s part of the care and service that you bring to your customer, the respect that you have for them and the trust you want them to have in you.  Reputational value is a combination of a lot of factors, but in today’s digital age, data privacy is a true (and marketable) benefit.

Telling stories which financial relevance which show the true value of cybersecurity to all stakeholders is difficult.  But if we want to make inroads to cyber protection, we will need to do so.

 

 

 

 

 

 

 

The Impact of the CCPA on Small Businesses

With the new year coming up fast, businesses are all scrambling to begin implementing necessary changes before the California Consumer Privacy Act (CCPA) goes into effect. And as one might expect, this poses some unique difficulties for small business that don’t have the same resources as larger companies might.  

This month, the International Association of Privacy Professionals (IAPP) released the findings of a number of surveys they conducted with small and medium sized businesses about their preparation for the CCPA. The findings highlight the unique impact compliance with the CCPA is having on smaller businesses 

Here are some of the key findings:

Confusion is Universal

One interesting aspect of the survey was that confusion surrounding CCPA compliance was universal to both small and large businesses. However, small businesses expressed a specific lack of clarity regarding what employee data is covered, how the sale of data relates to basic advertising, and potential conflicts with existing regulations.   

Vendor Management

Another key concern for small businesses is how the CCPA will affect their use of vendors and third parties. Because they have a limited number of employees, small businesses are more likely to outsource some of their work onto third parties. And, according to the IAPP’s findings, small businesses are less likely to have specific programs in place to ensure vendors’ privacy policies meet their own standards and comply with regulations. The report found that while small businesses do generally include privacy clauses in vendor contracts, “they use privacy questionnaires and audits significantly less often than larger companies.”  

Lack of Automation

The survey also found that small businesses are less likely to have privacy-focused automation in place. Because the CCPA requires business to process consumers’ data access requests, processing these requests along with managing data inventories will likely become more of a burden for small businesses. Without the resources to automate these processes, small businesses fear that implementing and managing data access requests will require an overwhelming amount of time and energy.  

What’s more, lack of automation could make it easier for fraudulent data access requests to slip by, resulting in data breaches that would leave them in violation of the CCPA. This has already been an issue with the GDPR, and small business worry that they don’t have the tools necessary to effectively verify the identity of individuals requesting access to their data.  

While preparation for the CCPA is a top concern for businesses of all sizes, the IAPP’s findings show that small business are facing a number of unique challenges. When it comes to compliance, the CCPA holds all businesses to the same standard. And while this gives consumers greater assurance that their privacy is protected across the board, the impact this will have on small business is greater than what larger companies are experiencing.

Changes to the California Consumer Privacy Act (CCPA) have been finalized – Goes into effect January 1

As of September 13th, the California Legislature has finished passing amendments to the California Consumer Privacy Act (CCPA) meaning no more changes to the law will be made before it goes into effect this January.  

Originally passed in September 2018, the CPPA is widely considered to be the most comprehensive privacy law in the U.S. to date. Taking their cue for the E.U.’s GDPR, the CPPA gives California consumers the right to know what data companies collect on them and even opt of the collection and sale of their personal information. However, as we wrote about in Julya number of amendments were introduced that privacy experts fear could greatly reduce the impact of the new law.  

In the months since then, some of those amendments successfully passed while others were reworked or scraped altogether. The legislature passed a number of amendments, most of the highly contested changes were put together in bill 1355 Personal Information. 

Here is an overview of some of the changes that made it through: 

Non-discrimination 

While the CCPA prohibits any discrimination against consumers who opt-out of the sale of personal information, the new amendment makes an exemption if “differential treatment is reasonably related to value provided to the business by the consumer’s data.”  

This is potentially a big deal. While some of this language will likely be challenged and clarified after the Act goes into effect, it opens the door for business to offer different services and/or prices if a user exercises their right to opt-out of the sale of their personal information.  

Definition of Personal Information 

The amendment also makes a very small change to the definition of personal information, but one that could have large implications. In defining what counts as personal information, the bill simply adds the word “reasonably” to the phrase “capable of being associated with” a particular consumer or household. This small change creates some wiggle room for business when it comes to arguing what information is protected under the CCPA.  

This also reinforces the clarification in the amendment that de-identified and aggregate consumer information does not fall within the scope of the CCPA. And with efforts already underway to weaken the definition of de-identified information, this could potentially further limit what personal information is protected.  

Employee Information is Exempt 

The other big change to the CCPA concerns employee information. The new amendments now excludes employees from the right to know, opt-out, or delete any personal information their employer collects and sells. However, this exemption sunsets in 2021 and will therefore have to be re-introduced after that. This will likely be the site of a large battle between unions and privacy advocates on one side and industry groups on the other.  

 

While these changes certainly reduce the scope and impact of the CCPA, the central tenants of the law remained largely intact. Overall, consumers will still be able to exercise their rights to know what personal information businesses are collecting, to opt-out of the sale of this information to third parties, and to even request that a business delete their information. It’s therefore important that all impacted business continue to work to be in compliance by the beginning of next year. 

iPhone Hack Serves as a Wake-Up Call for Users

Last week, Google’s counterespionage group Threat Analysis Group (TAG) published findings of malware attack that targeted iPhones for “at least two years.” The hack consisted of what is known as a watering-hole attack, where hackers install malware onto specific websites and visitors of those sites unknowingly download the malware to their device. Once installed, hackers were able to monitor user activity and export sensitive information such as passwords, contacts, messages (including encrypted conversation through apps like WhatsApp), and location data.  

Google’s TAG team discovered the attack this past January. They notified Apple of the issue on the 1st of February and Apple released a security update seven days later that brought an end to the vulnerability. However, while the updated removed the malware from infected iPhones, any information taken by the attackers remains in their hands.  

Despite the in-depth look at the attack that Google released, information on who was behind the attack, what websites were infected, and whose data was stolen have not been verified by either Google or Apple. However, since Google’s report, a number of news sources have started to fill in the pieces. Because of the highly sophisticated nature of the attack, many quickly speculated the attack was nation-state backed. Then, over the weekend TechCrunch released an article with sources claiming the attack infected websites designed to target China’s Uyghur minority. A day later Forbes confirmed TechCrunchreportalso reporting the attack targeted Android and Windows users too. Google and Apple, for their part, have not confirmed these reports.  

Unanswered Questions 

News of the attack has raised a lot of questions. Among them, why are we just learning about all this now? While Apple did make note of the exploits in their February update announcement, the language used was such that the scope of the attack was completely unknown until now. While it is always important to apply updates to any device as quickly as possible, it’s possible that without understanding the severity of the attack, many users could have left themselves exposed by putting off the update for another day. 

Another reason this news is so important is that Apple is often considered to have some of the most advanced cybersecurity defenses out there. Because of the perception that Apple products — and iPhones in particular — are safe from attack, user’s may not properly understand the risks posed. As Ian Beer, author of the Google report, says, “real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you’re being targeted. 

While this news doesn’t mean iPhone users should go throw their phones away, it does serve as a wake-up call. No matter the device, all users need to take steps to ensure their information is remaining protected, the least of which by updating devices quickly. Because, as Beer states, for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen.”  

Introducing PhishMarket,

Click here for a new way to secure your most valuable asset— your employees.

 

Not Ready to Commit?

Subscribe To Our Newsletter

Join our mailing list to receive the latest tips and news about cyber security and data privacy

You have successfully Subscribed! Please make sure to check your email to confirm registration.