Protecting yourself from cyber-attack used to be about technology. But I have heard it repeated time and time again this week at the industry’s annual go-to security event, RSA Conference in San Francisco, that this is not enough.
Sure, you need the right technology, but attacks can’t be completely repelled with technology alone. You need to turn your employees into a new line of defense – something we have often called your Human Firewall.
Why? Well, today it makes much more ‘economic’ sense if you are an attacker to go after people.
For years now, most organizations have invested heavily on perimeter defenses, and as time passes, the historic security loopholes or open doors in the products we rely on have been closed and the defenses toughened – making it a harder job for attackers to go after your network. Not impossible, but harder. Requiring more skill, effort, resources and persistence.
Meanwhile, at the same time, we have put more and more technology into the hands of our employees and connected them to the outside world in multiple ways: email, social media, cloud services, mobile. We actively encourage our people to connect with customers, colleagues, contacts and prospects. It’s a part of being a modern organization.
So, an attacker has a choice to make about what strategy to apply, and they are going to look for the path of least resistance – the ‘return on investment’ business case for attacks on people are just too compelling. Because people are, after all, “only human.” For all our great qualities, from a security perspective, we are fallible. Prone to being tricked, scammed or bamboozled. As Admiral Rogers of the NSA said this week at RSA about employees and their role in cyber security: “… every individual we have given access to a keyboard is a potential opportunity or a threat.”
And, right at the center of all this sits email. Behind every email address is a person. Guaranteed. Sending an email cost next to nothing. Sending thousands of emails cost next to nothing. And if you invest a little time in social engineering to improve the targeting of your attack, just a few minutes on LinkedIn should do it, research suggests you are almost guaranteed to get a hit.
So, if you are an attacker what do you do? Buy hacking toolkits, invest in people resources, get heavy duty computing power, persistently attack a target over days, weeks or even months or find the CFO or CEO’s assistant’s name, fake an email address to look like their boss and then start an email dialogue?
Spear-phishing in its various guises, and specifically now CEO Fraud or whaling attacks, are the new frontline we need to defend. And, defense requires new technology, employee security training and culture change.
That’s why our Targeted Threat Protection service combines comprehensive technology protection with user awareness capabilities. You need to do both to effectively protect against attacks using malicious URLs, weaponized attachments and now non-malware emails used for whaling. With Mimecast, when you click on a malicious link we don’t just scan it, we tell you what we are doing so the employee sees the risk they are potentially putting the organization under and learns for next time. Receive an email that looks like it comes from the CEO, but in fact is from a spoofed domain name (even if it looks like your own) - we make that clear to the employee with an alert. And, receive an attachment – we convert it to a safe format before delivering it to you so any potential malicious payload is disabled and we explain why.