Happy New Year everyone! We’ve just come through what’s probably the biggest gift giving month of the year – most of you, I’m sure, unwrapped more than one present. So let me ask a couple of questions.
If there was a pretty package, with no tag identifying the giver – would you open it?
If the tag said it was from a friend, using their Facebook name – would you open it?
If the tag said it was from a co-worker, but not one you’re very close to – would you open it?
Let’s change the scene just a bit, and imagine that it was an email you received, with an attachment that the email asked you to open – under what circumstances would you actually open the attachment?
Many of you will say that you’d analyze the message and make a judgment based on the words, the spelling, the grammar (malware merchants are all notoriously bad at spelling and grammar. No, really!) and how you (the recipient) and the sender were identified. But in a survey conducted earlier this year, Courion Corp. found that 1 in 5 respondents would “have opened an email at work they suspected to be fake or a phishing scam – without notifying the IT department”.
1 in 5. Over 19%, and that’s just the ones who thought the email might be problematic. I can only imagine that the number would be much higher for those who didn’t suspect the email was a phishing expedition.
So, what can you do about it? How can you protect the company from its own innocent, but curious, employees?
Malware – Trojans, viruses and the like – are usually handled by anti-virus packages either centrally (on the mail server, for example) or on each desktop – or both. These tools, if kept up to date, are quite effective. But phishing is a different problem.
There are three general vectors for a phishing email: it might contain a link to a URL (including URLs that resemble those you normally visit, such as your bank) that will collect protected information (usernames, passwords and PII – Personally Identifiable Information); it might contain an attachment that the user should fill out and email or fax back; or the note may simply ask for information to be sent in a reply. Alternatively, the URL or attachment could install active malware that would gather authentication or PII data (such as with a keylogger).
You could intercept all emails that contain attachments or URLs and quarantine them, notify the intended recipient and have a security expert review the email before allowing the intended recipient to see it. How long would this delay delivery, do you think? How long would the CEO put up with this?
You could intercept only those which came from outside the organization’s domain. That should cut down on the volume of email that needs to be reviewed, but might actually be more insecure than allowing everything to go through. Emails purporting to come from others in the organization (those, for example, whose credentials had been compromised) would most likely be willingly opened by all and sundry. At the same time, missives of a private nature coming from outside would be subject to intense scrutiny by a security clerk, perhaps one who couldn’t resist gossiping. Not a recipe for success!
No, there really is no substitute for education – teaching your people how to recognize potentially hazardous communications and how to handle them. Especially the part about letting security/IT staff examine questionable emails.
It’s going to take more than a memo and some “be aware” posters, though. What I’m talking about is a real education campaign with actual teaching, perhaps some mentoring and periodic testing. The occasional “pop quiz” via a phishing-style email should be part of your proactive anti-malware campaign. Those that fail the quiz should be required to take refresher courses.
Technology can help, but only well trained, fully-informed and security aware employees can keep your organization safe.