The newest security threat is here — and it's in our calendars. Spammers have been sending Google Calendar invites containing links, bypassing inboxes and taking advantage of default calendar settings that allow invitations to automatically display, regardless of whether or not they've been accepted. We chatted with our risk and compliance manager, Wes Andrues, about how best to educate your company about emerging social engineering security threats (like phishing or calendar spam), and how widespread knowledge can help maintain your internal technological security.
First, a bit about Wes before we dive into his tips: his background includes serving in the Department of Defense and Army Cyber Commands at the Pentagon, followed by leading the risk and compliance department at Dell SecureWorks. Needless to say, he knows what he's talking about.
Phishing is NOT hacking — it's worse
While Hollywood would love for us to believe that "hacking" involves one guy furiously typing commands into the terminal, that kind of vulnerability has been largely (though not entirely) disincentivized thanks to "bug bounty" programs. Wes explains it this way: "Bug bounty programs allow companies to say, ‘We'll pay you if you find something wrong with our app. Don't try and hack us; just tell us and we'll pay you.'"
"Social engineering bypasses that traditional hacking attempt and goes directly through humans with access to data — and that has proven to be much more effective."
Some are poor quality emails, but many are quite convincing, preying on our existing fears of exposure in order to… expose us! You only need one person to panic for social engineering to impact an entire company.
The classic case of a smart person being fooled by social engineering? John Podesta. Two years ago. The DNC. "He clicked on the change password link heard ‘round the world," says Wes. "He's a Georgetown-educated lawyer who fell for it, so you can see why social engineering offers a lot of opportunity over hacking."
How to effectively combat security threats
If social engineering attacks are designed to convince us we're already exposed, how can you, as a company, educate your employees to fight the natural urge to panic? Here, Wes is unequivocal:
"You have to change the culture."
"At Guru, we generally share the funnier phishing email attempts we see — and they're usually ‘coming' from Rick [Guru's CEO], who seems to be in constant need of our cell phone numbers. It's funny, but it also isn't. What if one of our CSMs fell for it and gave out a cell phone number or an email address that was then used to get to our customers? That would be a big deal. Luckily, because we surface these threats regularly, we're able to talk about them and educate each other on new tactics, making us much more likely to be able to spot them."
Companies can even try phishing exercises that allow their own risk and compliance team to send out fake phishing emails to see who in the company is likely to fall for a real attack, but that risks eroding trust in the team. Instead, here at Guru, Wes made sure everyone at the company went through the Google Jigsaw Phishing Quiz for training purposes.
How not to combat security threats
"For some reason, in a lot of cases, the gold standard in the industry is to 'train' the workforce annually on security in a passive way. Everyone watches a video or gets an email blast on the risks of responding to phishing, and then the security team can say, ‘Look, everyone watched or read this, so everyone moved on.'"
That kind of passive training doesn't necessarily teach anyone how to respond to an attack or how to actively identify those threats, especially as tactics shift throughout the year. Your risk and compliance team should keep that line of dialog open with the larger employee base and make sure it's an ongoing conversation.
The strongest defense against phishing
"In the end, the strongest defense against phishing is a healthy distrust," Wes explains. In an ideal world, these kinds of threats wouldn't exist, but since they do, maintaining a decent amount of skepticism in the tools on which we depend is the only way to truly stay vigilant.