Don’t resort to the phishing ‘blame game’

Representational image of cyber security
(Image credit: Kingston)

Phishing is an innovative cyber practice in itself – constantly evolving to evade the suspicion of its targets. Cyber attackers are extremely agile, trying their luck to infiltrate organizations from every direction – through emails, social media messages, typosquatting and more. Employees are always on the back foot. They will trip up at some point and click on something they shouldn’t.

When they do, and that phishing attack leads to a damaging data breach, organizations can sometimes feel it necessary to publicly place blame on an employee instead of looking inwards at their own cybersecurity reinforcement practices. They do this at the risk of silencing their employees from owning up to risk of fear or repercussions. This approach delays the business’s ability to mitigate damage as soon as possible. In fact, according to a report by email security company, Tessian, 26% of employees lost their job in the last 12 months after making a mistake that compromised their company’s security.

It is no wonder then that fewer employees are reporting their mistakes to security teams. Every business will suffer a phishing attack in its lifetime; it is purely a question of when, not if. The onus is on the business to make a collective effort to keep identity security tight rather than playing the ‘blame game’. The latter only forces employees to shy away from their mistakes instead of learning about prevention for the future.

Non-security employees are the frontline phishing gatekeepers

In the physical world, we wouldn’t expect citizens to identify shoplifters or challenge those who run red lights. But in the digital environment, employees have become frontline phishing gatekeepers. Those who do not work in identity security can be flooded with contradictory guidance of “click this, not that.”

For an HR executive, for example, whose job involves reviewing CVs that arrive daily through email, web applications and social media, simply being told ‘not to click’ on links is not sufficient enough education. Employees of all stripes are inundated with emails each day which include instructions to click on links – whether that be to review company policies or download required software updates. Carefully scrutinizing each attachment and link to detect the malicious from the legitimate with 100% accuracy all of the time is a near-impossible ask.

David Higgins

David Higgins is Senior Director, Field Technology Office at CyberArk.

Phishing awareness is just the start

Maintaining identity security is a team game that everyone must play and phishing awareness is a critical first step. In fact, according to our research, security leaders identify security awareness training as one of the top three most effective components of a defense-in-depth strategy to combat ransomware.

In fact, many organisations put out phishing emails themselves to test their own employees and increase identity security awareness. While this does test an employee’s competency in identifying malicious emails, it can fracture relationships between senior leaders and staff – perpetuating the ‘blame game’. Phishing prevention strategies that rely on highlighting individual shortcomings are unlikely to succeed.

Phishing education is where businesses will see a real difference. Teaching users about the real-world ramifications of risky behavior, such as forwarding personal emails to work accounts, can also help dispel the myth that identity security teams are like all-powerful seatbelts – there to protect people from harm, no matter how fast they’re driving.

In addition, methods that focus on team collaboration to solve the phishing problem, rather than shaming individuals who fail, will go a long way in promoting the team game mentality towards better identity security.

Clicking without fear

Cyber intruders are constantly innovating and will always find ways to get inside environments. This is why Zero Trust has gained such momentum. It is built on the assumption that any identity or endpoint could be compromised. Security must start from an assumed breach mindset, which recognizes that all users – whether they work in HR, marketing, finance, development or even the IT department – may get phished.

Instead of trying to control every click, focus on enforcing strong authentication everywhere, practising good credential hygiene and consistently following the principle of least privilege (for both human and non-human identities) to help prevent credential theft. In addition, implementing allow-listing and application control can help mitigate malicious downloads.

This identity security approach is not about placing blame; it’s about emphasizing awareness and putting the right layered defenses in place to find and stop attackers quickly.

Most importantly, don’t place blame

Humans are biologically wired to blame. When bad things happen to us, we instinctively look for reasons beyond ourselves – and this is not different amongst business leaders, especially for those experiencing a cyberattack. Even as onlookers, we crave that “who done it?” closure. It’s why major breach reports spark waves of speculation and why human error is a common corporate explanation.

While the phishing ‘blame game’ may help businesses feel better in the short term, it misses the more significant point. That is, fault refers to responsibility; responsibility is rooted in trust; and inherent trust – in anyone or anything – must be stripped entirely from the modern identity security equation.

Fostering a positive cybersecurity culture is essential to creating a workforce which does not feel ashamed about coming forward if they are to make a mistake – meaning the business can act quickly and efficiently to mitigate any damage. It is important that employees see cybersecurity as an agent of protection instead of condemnation. Empowering employees to talk openly about their cybersecurity mistakes, instead of playing the ‘blame’, can provide great learning opportunities across the business.

We've featured the best business VPN.

David Higgins

EMEA Technical Director, CyberArk.