Humans don’t have to be cybersecurity’s weakest link

A finger pressing a padlock icon
(Image credit: Shutterstock)

Humans get a hard time from cybersecurity professionals, because in this industry we know it only takes one mistake to cause disaster. There’s no getting away from the fact that all hackers need to do to launch a ransomware attack or steal valuable data is persuade a single employee to interact with one phishing email. Careless clicks sink ships, to paraphrase a famous British wartime phrase. Attackers know this too, which is why they focus their attention on building ever-more convincing phishing emails that are intimately designed with their victim in mind.

About the author

Riaan Naude is Director of Consulting at F-Secure.

This so-called “human problem” is a familiar part of the security landscape and has become something of a dogma. Staff are unreliable and prone to making catastrophic mistakes, it’s often said. There will always be someone who thinks it is perfectly normal for their “boss” to send a badly spelt email asking them to transfer all the money from a corporate account, we fear. It doesn’t have to be like this. Employees no longer have to be the weakest link in security, because with the right training and corporate structures in place, they can become a crucial and trusted part of organizations' defenses. It is time to turn the human problem into a human solution.

Human behavior

Before addressing the problem, it must be admitted that people are involved in a large share of cybersecurity incidents. A total of 36% of breaches involved phishing, which is 11% more than last year, according to Verizon’s 2021 Data Breach Investigations Report.

Phishing is a scalable, versatile and low-cost method of launching cyberattacks. It works - which means criminals will continue to work hard to refine their tactics and make ever-more convincing phishing lures. Yet as the bad guys get better at phishing, defenders can learn from their tactics. A sure-fire way of defending against the human vulnerability exploited by phishers is training the people who are their targets. We know, for instance, that there are several phrases used in phishing emails which staff should be told about so that they can raise a red flag as soon as they encounter it.

These high-risk phrases include “Dropbox,” “amount of USD” and “message is from a trusted.” Our research shows that the most common suspicious word in an email is “click here,” followed by “login,” “payment,” “please click” and “password.” Other common phishing words should include “please visit,” “click here to” or even “Bitcoin.” Staff should be briefed on these words and given an easy way to flag suspicious emails so they can be blocked across the company.

Unfortunately, the widescale reporting of suspicious emails could cause an overload for time-pressed security staff, who are already suffering from alert fatigue. When a trained professional investigates and responds, this can take anywhere between 15 minutes to an hour depending on the professional background and complexity of the particular case.

Automation can help here, offering dramatic reductions in the time needed to deal with a phishing email. Up to 99% of all phishing emails can be dealt with by automated systems, leaving the most difficult tasks to security staff and freeing them from routine inspections. Automation solves another human problem, by alleviating the problems caused by excessive alerts and false positives so that security staff can tackle the difficult issues that machines are unable to deal with.

Testing one, two and three times

Another important step towards building an employee-powered phishing defense framework is carrying out a controlled attack. This test will reveal key metrics such as the number of users who click a malicious link within an email, enter corporate domain credentials into a phishing website or download a malicious executable. It will also expose the departments that are most susceptible to phishing and highlight security problems, such as the use of weak passwords.

A phishing test must be carried out with care and caution because overstepping the mark can have negative reputational consequences. One famous example of this is a test carried out by West Midlands Trains, which emailed thousands of employees to say they were being given a bonus for their hard work during the Covid-19 pandemic. But when they clicked a link, they were shown the message: “This was a test designed by our IT team to entice you to click the link and used both the promise of thanks and financial reward.”

This phishing test was certainly memorable, but it hit the national newspapers after a union rep described it as “crass and reprehensible” because at least one worker had died and many others had fallen ill after contracting the virus. A phishing attack can be expensive, but so can the reputational damage caused by negative press, so all assessments must be carried out sensitively and considerately, with the ramifications carefully thought through to ensure there is no risk of upsetting staff and creating critical headlines.

It is also important to make sure that phishing assessments are not just ‘one and done’ exercises because good habits need reinforcement to embed themselves across an organization and metrics gathered during single exercises are not sufficient to provide a holistic risk analysis. One-time assessments do not have a sustained preventive effect, which means employees are still likely to click on malicious links within emails just a few months after the training, which means the preventative engagements have little value.

With the right training and testing routines in place, employees can be empowered to defend their organization from phishing, turning them into the first line of defense. In the age of record-breaking ransom demands and high-profile data breaches, few people are unfamiliar with the devastating effects of cyberattacks. Yet they may not be aware of the role they can play in causing incidents – or preventing them. Solving the human problem is not a far-off dream, but a goal that all organizations can achieve.

At TechRadar Pro, we've featured the best ransomware protection.

Riaan Naude is Director of Consulting at F-Secure. He has over a decade of experience working in cyber security. His career flourished in the financial sector before he found his true passion: consultancy.