Theory, Practice And Application: Tackling Phishing In Three Steps
Expert Insights speaks to Theo Zafirakos of Terranova Security to discover how organizations can empower their employees to combat phishing attacks with training and threat simulation.
Phishing is one of the most prevalent and dangerous types of cybercrime we see today. During a phishing attack, a bad actor contacts their target—usually via email—while impersonating a trusted sender, such as a colleague. In this communication, they try to manipulate their target into handing over sensitive information, like login credentials or financial information.
Attackers prey directly on users’ reliance on digital communications and inherently trusting human nature. And because of this, employees are often considered an “easy in” to an organization’s data, or a “weak link” in a company’s security architecture. However, this way of thinking is quickly becoming dated, as organizations increasingly realize that employees can’t defend themselves against an attack they aren’t aware of; it’s up to the security team to give users the tools they need to identify and respond to threats.
Security awareness training is one means of delivering these tools, providing employees with the theory and practice they need to form a solid line of defense against real-life phishing attacks.
To find out more about how organizations can empower their employees to combat phishing, we spoke to Theo Zafirakos, CISO at Terranova Security. With over 20 years’ experience in the IT and cybersecurity industry, Zafirakos has worked with numerous IT and business leaders, seizing the opportunity to learn about the security threats and challenges they face. Now, Zafirakos uses this knowledge as CISO and leader of the Professional Services team at Terranova Security, taking responsibility for the company’s own internal security program, but also assisting hundreds of clients in designing and implementing their own awareness training programs.
Founded in 2001, Terranova Security is a leading security awareness training company that works with their clients across all sectors to design and deliver programs that reduce the human risk factor and counter cyberthreats by changing user behaviors. Terranova Security’s Awareness Solution offers risk-based awareness training on numerous cybersecurity topics, including phishing, data privacy and compliance, to give employees the skills they need to identify and respond to cyberthreats consistently and confidently.
Phishing Is A Layered Threat, And It Needs A Layered Solution
Despite the publicity that successful attacks receive, people are still falling for phishing. In fact, almost 20% of all employees are likely to click on phishing email links, according to the results of Terranova Security’s 2020 Gone Phishing Tournament. Of those, an alarming 67.5% go on to enter their credentials on a phishing website. There are several reasons for this, says Zafirakos.
“A lot of the time, it’s a moment of inattention, or working surrounded by distractions, especially when working from outside the office. We receive the message and act a little too quickly.
“Other times, it’s simple curiosity and lack of understanding around the potential risk and impact of a cyberattack. What’s the harm in opening the link, or submitting your password on a site that isn’t official?
“Third is the inability to detect the threat indicators. We’re told not to respond or to click on links in a suspicious message or phishing website, but we need to be more specific on what makes the emails suspicious.”
This third cause has become a particular challenge in the last year. In the wake of COVID-19 and the global shift to remote working, organizations have become increasingly reliant upon third-party cloud applications. This means that it’s now the “norm” for users to enter credentials into third-party sites and, as Zafirakos tells me, users may not know which services are official and which aren’t.
In addition to this, phishing itself is a layered threat, Zafirakos says. “The Gone Phishing Tournament is a perfect example of how a phishing attack has multiple layers. First, there’s the email, so being able to recognize a phishing email is the first priority. Second, is the phishing website, where a user may enter their credentials.”
Terranova Security’s Awareness Solution offers a combination of high-quality, interactive training content and real-world phishing simulations to help users break the above habits and recognize the multiple layers of a phishing attempt.
“The combination of these in a cohesive program gives the users the knowledge they need, but also the opportunity to practice their skills,” Zafirakos tells me. “Users aren’t going to be exposed to phishing all the time but, when that time comes, they have to be alert, to expect it, and know how to act.”
Simulations Are A Practice, Not A Test
Phishing simulations, in which security teams send their users fake “phishing” emails to monitor their response to the training and administer further training where needed, is a contentious topic within the cybersecurity industry. Some security experts argue that simulations are too much like a form of punishment to be effective, as they train users at the point of failure. According to those who argue against simulations, this can de-motivate users and cause a sense of distrust towards the security team.
To combat this, Terranova Security approaches simulation from a different angle, says Zafirakos.
“We consider phishing simulation as a practice tool; it gives the participant opportunity to exercise their phish detection skills in a safe environment. It’s better to click within a simulation than to experience it in the real world.
“But it’s important to communicate the purpose and how we’re going to use simulations from the very start of the program, to make clear what the expectations and potential consequences are. We may ask you to follow some additional training, but the goal is education, not punishment!”
In almost every field of training, Zafirakos adds, hands-on exercises are much more effective than presenting the users with theory alone.
This is because of the ways in which our brains work: listening to and analyzing information engages the left side of the brain, while visual and spatial learning engages the right side. Combining theory with practice engages both sides of the brain, allowing it to form stronger connections between pieces of information so it’s easier for the learner to retain.
Phishing simulations not only allow users to engage both sides of the brain, but also practice what they’ve learned in a safe environment, where the consequences of clicking are likely to be a further training module rather than a catastrophic data breach. Because of this, it’s important that simulations are based on real-world threats that users are likely to encounter.
“You need a combination of both,” Zafirakos says. “Here’s the theory, and here’s a way to practice and apply it effectively.”
Fostering A Positive Culture Of Security
Traditionally, organizations have labelled their employees as “weak links” in their cybersecurity chain, but this viewpoint is unfair, says Zafirakos.
“As organizations come online and connect to the internet, or digitize their business processes, they focus mostly on the technology controls. Employees may be seen as the weakest part, but it’s because they are given the least attention in cybersecurity programs. Is it fair to grant employees access to technology and digital information without informing them of the risks and threats associated with them?”
To reverse this way of thinking, organizations must realize that they need to educate and support their users, bringing them in to discussions on cybersecurity and allowing them to feel like a part of the solution, rather than the cause of the problem.
“Educating and informing users or the risks associated with new technologies is the organization’s responsibility, as is the communications of their expectations,” says Zafirakos. “This will help users become a part of the defence, so they’re no longer the ‘weakest link’.”
As the CISO at Terranova Security, Zafirakos is responsible for their own internal security program. I asked him how he works to cultivate a positive culture of security and encourage security-first practices among his own teams.
“The importance of information security is communicated from the first day on the job,” he tells me. “We have ongoing formal training for all our users and various roles. Also, throughout the year, we have various activities and competitions to engage our users. This gamification outside of online training helps users to engage with and talk about the topic.
“We also touch the topic monthly during our staff meetings by delivering key messages.
“Since awareness materials are one of our products, all employees are expected to be familiar with them, not just from an awareness perspective, but also so they better understand our business and the needs of our clients.”
And as for whether Terranova Security use their own materials to train their employees…
“But of course!”
Adaptable Training For An Adaptable Work Environment
In the last year, the global migration to remote work has caused a shift in the types of cyberthreats we’ve seen, with cybercriminals choosing increasingly targeted attack methods that prey on their targets’ uncertainty—just as phishing does.
In addition to this, users working from home has made it necessary for organizations to consider the provisioning of new tools and applications remotely—sometimes across multiple countries—as well as allowing users a more flexible work schedule, as they’ve juggled work with housework, childcare, and Zoom meetings.
As a result, security awareness training solutions have had to adapt not only to include new information on the most current threats, but also to help users learn in a volatile work environment.
“We’ve adapted our training solutions to meet the growing needs of remote workers and organizations working with distributed teams across many different countries and time zones,” says Zafirakos.
“Using the Terranova Security Awareness Solution, administrators can ensure their program material is targeting the right user behaviors with multilingual content available in a variety of learning formats, including microlearning, nanolearning, and Serious Game modules.
“The content is also available in accessible and mobile responsive formats to help build a diverse, inclusive security awareness training program where all users, regardless of their physical location or preferred language or device, can enjoy an engaging, fun learning experience.”
And because of these changes, Terranova Security’s Awareness Solution has experienced increased participation and completion rates.
“It’s now far easier for organizations to transform their users into cyber heroes.”
As organizations begin welcoming their employees back into the office, often in a hybrid-remote form, accessibility will be a priority for organizations choosing security awareness training, Zafirakos tells me.
“You need programs in place that are accessible by anyone, from anywhere, on any device and at any time,” he explains. With these requirements fulfilled, training a hybrid workforce should be a breeze.
Communication And Consistency Are Key…
…in the fight against phishing, Zafirakos says. Organizations struggling to combat phishing threats need first to consider their communication.
“Explain the risk to both management and employees and obtain their support for your program,” he explains. This buy-in will make the adoption of the program flow much more smoothly and efficiently.
Next, Zafirakos says, you need to choose a program that offers both awareness training materials and phishing simulations. But implementing the program alone isn’t enough to cultivate a culture of security: you also need to consistently give your users practical advice, reminding them of the existing threats and informing them of new attacks and tactics they should be aware of.
Finally, Zafirakos tells me, you need to support your users—including those who are still clicking on links in suspicious messages.
“We have to continue not to punish, but to support those happy clickers. But we also have to take the time to recognize those who actually report the suspicious messages.”
Thank you to Theo Zafirakos for taking part in this interview. You can find out more about Terranova Security and their security awareness training platform at their website and via their LinkedIn profile.