/////////////////////////////////////
FINAL WORD
There’s a machine
that stops phishing
attacks. It’s called the
human brain
Phishing attacks remain a source of anguish for
security professionals. But those who choose to just
throw technology at the problem are overlooking a
vital component of their defence – the ‘human firewall’.
Kamel Tamimi, Principal Security Consultant,
Cofense Inc, tells us more. . . .
U
ntil human nature changes (don’t
hold your breath) phishing attacks
that target unwary people will be a
headache. Two recent headlines show the
Middle East and Africa are not being spared.
Last November, a leading regional bank
issued a customer alert about a phishing
email dangling a value-added tax refund.
Naturally, the email purported to come from
the bank. Whose pulse wouldn’t quicken at
the thought of getting some money back?
The following month, Amnesty International
warned of several credential phishing
campaigns, likely from the same attackers,
targeting Middle Eastern and North African
organisations. In one campaign, the threat
actors took aim at accounts on ‘secure’
emails services like Tutanota and ProtonMail.
It would be nice if automation could
solve the problem completely. But while
automated systems, Machine Learning and
AI can help, malicious emails are still getting
past the perimeter. Just ask the regional
bank and Amnesty International.
Here’s what organisations tell us
about the human factor
You could also ask organisations in the
region and across the globe. At Cofense,
we talk to them every day about effective
phishing defence. Following are some
84
INTELLIGENTCIO
of their insights on thwarting attacks on
humans by empowering them with the right
expertise and tools.
Let’s start with the head of information
security at a Middle Eastern university. A
few years ago, after large-scale attacks by
nation-state actors on other regional targets,
he made human-vetted phishing defence his
number one priority, anchored by a rigorous
phishing simulation program.
When he launched the program, users –
students, faculty, administrators and anyone
else using the network – fell for simulated
phish 55% of the time. That number has now
dropped to close to 10%, with the number of
users reporting bad emails up to 50%.
(FYI, Cofense data shows that the energy
industry leads the region in phishing
reporting – on average, over 16 users
report a simulated phish to every user that
falls susceptible.)
“My mandate was to do everything
necessary to protect the university
community,” the head of information
security reported.
“We invested in technological solutions,
but with 30 years of IT experience, I know
that you need to invest in people, not just
processes and technology. You need to make
them human firewalls.”
www.intelligentcio.com