FINAL WORD
“
IF YOU’RE PLACING
ALL YOUR BETS ON TECH AND
NEGLECTING THE HUMAN FACTOR,
IT’S GOING TO BE A LONG, AND VERY
PHISHY, YEAR.
Kamel Tamimi, Principal Security
Consultant, Cofense Inc
He added: “Look at it this way. You can put
five locks on your door, but if you leave the
keys under the doormat, the locks don’t do
much good. Fortifying the human firewall is
my utmost priority. The human element is
the most important part of your defence.”
put in place, whether it’s an appliance or
a firewall or something that blocks at the
proxy,” she said.
“Hey, is this the right payment?” “For example, we had a Word document
with macros slip through our filters, so we
just need to teach the humans that own our
email addresses to be extra-vigilant.”
The cyber-program director of a
multinational utility echoed these remarks.
“My CISO often states that if he had to cut
all of his budget, down to the bare bones, all
that he would choose to spend on would be
awareness and response,” he said. She continued: “We see some departments
reporting as high as 60% in phishing
simulations, but they also report [real]
malicious emails that go to our cyberdefence
teams – and they get them out of the
network sometimes in five or 10 minutes.”
“We had a scenario where, all the way up to
the CEO, they were ready to make a treasury
payment until somebody finally picked up
the phone and said, ‘hey, is this the right
payment to be made?’ And it was blocked.” “That’s a return on investment.”
Referring to constant changes in attack
techniques and the need for defensive
adjustments, he added, “I’m reminded of a
quote from Alice in Wonderland, when the
White Queen was saying, ‘In order to keep
up, you have to run as fast as you can.’”
Removing phishing emails
‘sometimes in five or 10 minutes’
An operational risk consultant with a global
financial company shared with us an
example of employees helping the SOC stop
phishing threats in minutes.
“I don’t think security is going to be
improved by the next best technology we
86
INTELLIGENTCIO
Noting the futility of investing in technology
while users remain untrained, a cybersecurity
awareness evangelist at one of California’s
largest companies said: “In one corner
you’ve got 10 million dollars in defence
perimeter equipment and on the other side,
of course, you’ve got ‘Dave.’
“A machine cannot apply a non-linear
approach to a problem. A machine is just
conditioned to do one thing. But a human-
being with instinct can make decisions that
are a lot more intricate.”
His company too relies on employees to
report actual phishing threats.
“Last month, we saw 33 reported threats
come into our IR inbox,” he said. “When
you consider that a breach could cost US$6
million, that’s a return on investment.”
“What did you do to prevent this?”
The last word comes from another global
financial company: “To not focus on
phishing would be pretty negligent on
any company’s part,” said the company’s
operational risk consultant.
“At the end of the day, if we have a breach
it’s probably going to have stemmed from
some sort of phishing attack.
“When our regulators or clients are asking
us, ‘What did you do to prevent this?’ it’s
important to feel confident that we have an
anti-phishing program in place.”
She noted that inbox behaviour is ‘easily
measurable’. It’s not hard to sustain a
phishing defence program because the
metrics are simple to gather and use to
demonstrate success.
In fact, automation makes it even easier,
allowing program managers to schedule a
year’s worth of simulations in a matter of
minutes. Other automated systems enable
SOC teams to filter and analyse reported
emails quickly, plus remove them from users’
inboxes when verified as threats.
Those are smart uses of technology. After
all, machines are great at saving time and
handling repetitive tasks, saving human brains
and intuition for critical decision-making.
But if you’re placing all your bets on tech
and neglecting the human factor, it’s going
to be a long, and very phishy, year. n
www.intelligentcio.com