Phishing and operational resilience? Old words, new environment

‘Operational resilience’ has left the world of management buzzwords and is now firmly embedded in operational reality. Dependence upon digital architecture has always increased the risk to operational resilience from a cyber-attack, but 2020 has introduced a whole new level of vulnerability.

For essential services, the tolerance for disruption, during the uncertain times of 2020, is dropping rapidly—whether that’s from the perspective of the public, users, government, or regulators. Sometimes it’s because those essential services have become so critical—such as the NHS and its supply chain—they simply cannot be disrupted under any circumstances. For other public services, anything that increases the abnormality of living in the C-19 era further stretches public confidence to breaking point. And where there are regulators in play, they are no longer forgiving when it comes to operational resilience.

Other businesses fall into two categories. Those that are fighting for their commercial lives, desperately trying to survive, innovate, and adapt; where every second of every day counts and any disruption may be the difference between survival or failure. This gives ‘operational resilience’ a whole new meaning.

Other businesses are overrun. Take, for example, the businesses to whom the public (and government) have turned towards to try and keep society and the economy moving; Amazon, DHL, supermarket online shopping and delivery have attained almost ‘essential’ public service status in the eyes of their clients. Disruption to those is commercially and reputationally damaging.

How does this impact employees?

And into this world of genuine operational resilience we must place the workers of all types for whomever they work: essential service providers, struggling businesses, stretched businesses. They are invariably working with systems onto which they have been quickly migrated. They are often working at home or away from an office where their online behaviour is heavily influenced by both their environment and the deployed technology. And they are often in professional and/or personal isolation, hungry for information and often anxious, stressed and under huge pressure.

Threat actors are looking to benefit

With this in mind, we must also consider those ‘threat actors’ who use online opportunities to service their own nefarious outcomes: criminals (mainly), state (more than people realise), aggrieved employees (increasingly a lot of these), bored script kiddies (ditto), and hacktivists. They look, salivating, into this new land of opportunity. And they look at their tried and tested tools, starting with their ‘phishing rod’.

Why we’re still talking about the phishing threat

Phishing is not new, but 2020 has seen the type of environmental changes that have given it a new lease of life. While the actors who conduct these attacks and their motivations vary, the common link between them is that almost all the attacks start from a successful phishing email. In fact, recent research by Proofpoint identified that more than 99% of threats observed required some kind of human interaction to run—either by clicking on a link or opening an attachment. Other figures vary, but you’ll rarely find one below 90%.

Of course, many digital risks can be mitigated using technology and automation; these solutions are essential but they are not a catch-all. In the world of phishing as a route into an organisation, many malicious phishing emails and texts can normally be filtered out by corporate firewalls and technical controls, but the techniques to bypass them move just as quickly as the measures put in place to stop them. Furthermore, in many cases, remote workers are still relying on personal devices which do not have the same level of security measures in place, further increasing the human risk factor and conflating the office:home mindset yet further.

Let’s look at COVID-19 themed phishing campaigns, which have substantially increased risk from a human perspective. You will have seen in the media that cyber criminals have been using the pandemic to exploit people’s thirst for information and vulnerable status. This aggressive targeting shows no signs of abating and we have observed false email campaigns requesting charity donations, corporate messages about employees working from home, messages about redundancies, and fake websites posing as official government and health agencies exploiting the confusion about testing, rules, compliance and vaccines. Add to this the spear phishing campaigns purporting to be from ‘colleagues’, ‘suppliers’ requesting urgent payment/threatening legal action, and ‘clients’ offering more work. Even in a normal world the risk is high, never mind at a time when every message purports to contain critical information.

Cyber aware workforces key to building operational resilience

With cyber security risk having now shifted significantly more towards remote workers, the awareness and responsible online behaviour of employees is even more important. It’s important to recognise the vulnerable position they are in and that they need help and support not to fall foul of the tsunami of phishing. As mentioned, it’s true that technology and technical controls can identify and remove a proportion of malicious phishing emails and prevent their spread—and this should of course remain part of a risk mitigation strategy—but the last line of defence is an aware workforce.

With more than 9 in 10 of all cyber attacks starting with a phishing attack, naturally one particularly effective risk management tool is to measure how exposed an organisation is. If any organisation can’t answer the question of ‘how many of our staff would fall foul of a phishing attack and/or how many would report it’, then it becomes impossible to measure that particular vulnerability gap.

And as well as keeping your operation running and avoiding disruption and financial loss, we all owe it to our employees to help them understand the risks they are managing for us during this time. There is nothing more avoidably sad than an employee, at home alone with dawning horror, realising that one wrong click made under colossal pressure and worry in an unfamiliar work environment, had cost their company thousands, or sometimes millions, or, even worse, pushed their company over the financial edge.

And one way to measure the current awareness and operational resilience of your employees, and help them understand the nature of the risk during these times, is with a Phishing Vulnerability Assessment (PVA).

How does a Phishing Vulnerability Assessment work?

A PVA is designed to boost awareness of the cyber security risk and demonstrate how all employees can help to protect their company while online. An assessment typically includes a controlled phishing campaign over an agreed duration and will measure any number of areas. For example, in a recent assessment, we recorded the percentage of recipients who opened the phishing email and then how many of them clicked on the link in the message. We also collected location data, to see if there were any departmental or specific office-based trends.

Depending on the nature of a particular attack, these actions alone would normally be enough for criminals to gain a foothold in your organisation and they could then begin the activity of laying down, for example, ransomware or pivoting through the network for the information and data they are looking for. The length of time it takes to detect an attacker on a victim’s network has a significant bearing on the overall impact of an incident, so as part of a PVA we also record how many of the participating users report the suspicious email to the security/IT team (whether opened or not) as it is very important to encourage users to report any suspicions they have.

And finally, those who did click on the offending link were immediately directed to bite-sized educational material to help them identify a phishing email in future.

At the end of the campaign, a client will receive a comprehensive report, including a data and narrative analysis of employee activity in relation to the assessment and training, which clearly illustrates and measures the level of risk

Why conduct a Phishing Vulnerability Assessment?

By understanding your organisation’s security posture and operational resilience, you can make informed decisions on effective investment in education and technology, as well as improving your organisation’s level of security and awareness.

One way to test your overall operational resilience is to measure the resilience of your people—a PVA can help measure this. The importance of a PVA is illustrated by our findings that 80% of participants said that security awareness training had led to significant measurable improvements in reducing phishing susceptibility.

Measure the resilience of your people

Do you know how your people would deal with a phishing email? Get reassurance that they will take the right actions and you are helping them to help you and themselves at work and at home. 

Talk to us about Phishing Vulnerability Assessments and how we can tailor and time them to fit your specific requirements.