When employees are made to feel embarrassed about falling for social engineering attacks, they become counter-productive to their organisations' attempts to fend off cybercriminals, according to one security expert. Here's why.
Businesses are a lucrative target for cybercriminals. As such, these criminals have have upped the ante on their attacks. The number of social engineering attacks that try to convince employees to click on malicious links have dramatically increased in recent years.
Many organisations simulate social engineering attacks such as sending out phishing emails as part of cybersecurity awareness programs for employees. Chester Wisniewski, principal research scientist for security vendor Sophos, believes many of these programs are unproductive because they focus on shaming employees for falling for these scams.
Speaking with Lifehacker Australia, he went through the level of sophistication of attacks that are targeting businesses, especially when it comes to phishing emails. There have been well-documented methods to spot these kinds of fake emails such as looking out for spelling mistakes or being vigilant of links included in the body. While there are still plenty of crude phishing campaigns that are easy to spot, there are plenty of criminals going that extra step in creating malicious emails.
"I was travelling to Finland to present at a conference and I always grab a local phish to put in my slides. When I presented it to the audience, they couldn't believe it was a phishing email because the criminals got the Finnish right," Wisniewski said. "Finnish is an insanely difficult language to get right and you certainly can't piece it together from Google Translate.
"English speakers are even more vulnerable; our language is the most common and are often spoken in wealthier countries, which makes us targets. Translators are also easy to find and they're cheap."
The fact that many people use mobile devices to check their emails complicates things as well because it's harder to spot dodgy URLs, according to Wisniewski. Criminals are even investing in web development so landing pages for these fake URLs look real and professional; these webpages are even mobile responsive.
"A lot of them aren't making mistakes anymore," he said.
While criminals get better at crafting social engineering attacks, companies have to change tact when training up employees in the area of online security.
"Employees are told that they need to spot spelling mistakes and look out for suspicious links - most of those things are impossible, even for well-trained workers. It's wholly impractical to expect employees to get it right all the time." Wisniewski said.
He believes the organisations that run phishing training programs are too focused on punishing employees who fall for fake emails, which breeds a culture of victim blaming in organisations.
"Employees are made to think 'I should have known better' and feel ashamed for clicking on links in phishing emails. This makes them more likely to sweep these emails under the rug by deleting those emails," Wisniewski said. "It's not helpful for them to do that. End-users should be the early alarm system and they're going to make a few mistakes.
"What companies should be doing is encourage employees to report any suspicious emails to the IT security team. Employees shouldn't be afraid to report these things in. They need to know that if they make a mistake, they're not in trouble."
Arni Mar Hardarson is the Victorian CTO for penetration testing firm Pure Hacking. His company helps organisations run phishing attack simulations as part of security awareness training programs. He agrees there are some attacks out there that are harder to spot but phishing training still helps employees stay alert for fake emails in general.
"I do agree that the training should not be used to embarrass the employee and should be used more to praise the employee through various forms such as issuing trophies for detecting a certain level of phishing," he told Lifehacker Australia.
Wisniewski highlighted that the metric to determine the success of phishing attack training programs needs to change. Instead of only focusing on reducing the number of employees opening malicious emails, they should also measure how many people report those scams to IT security teams. He agrees that organisations should incentivise employees to report dodgy emails.
"We need to stop victim blaming; it's how we got into this mess. People are afraid of getting in trouble and the last thing you want is for employees to hide it when they make a mistake," he said.