The Human Hack: How to Fight an Internet Risk Technology Can't Fix
A year ago, James Robinson played a trick on about 600 salespeople at a company where you wouldn't expect the employees to be easily fooled.
Staffers at Websense Inc. got a generic-looking e-mail that encouraged them to click on a link to learn which product they could sell to earn a bigger bonus. The link led to an unfamiliar website that asked for their user names and passwords.
"What came back to us was crazy, it was in the 60 to 70 percentile -- people were clicking on the link," said Robinson, security architecture and strategy officer at the San Diego-based company. Of those who clicked, 80 percent proceeded to obediently type in their log-in credentials, which is the kind of information that could allow a hacker to break into a corporate network and steal critical data.
Even more alarming? These folks sell cyber-security products for a living.
As businesses spend billions every year to shore up their cyber defenses against sophisticated hackers, many companies are realizing that relatively unsophisticated attacks can still be the biggest risk when they're targeting what's often the weakest link: the employees.
Read more from the New World of Risk Special Report:
Fortunately for Websense, the e-mail was part of a training program from PhishMe. The workers got off easy, ending up only having to read a Web page and watch a short video on how to spot the harmful e-mails. But the employees' responses to the message show that the most robust hardware and software defenses can be undermined by exploiting the credulity of humans.
"We wanted to show people that we are vulnerable," Robinson said. Following a year of ongoing training, now only about 30 percent of salespeople open questionable e-mails, he said.
Who’s a Target?
Phishing e-mails are phony messages disguised to look like real ones from acquaintances, companies or banks. They have been around for more than a decade and have affected everyone from rank-and-file workers to executives. Coca-Cola, the Commodity Futures Trading Commission and even the White House have been hit by these attacks.
The threat is growing -- the total number of phishing attacks rose 59 percent last year, past 445,000, resulting in losses reaching $1.5 billion, according to a report by EMC Corp. For companies large and small, the risk is having their technology blueprints, business plans, pricing documents, partnership agreements, contact lists and other internal data falling into the hands of rivals. The attacks could be instigated by competitors or originate from hackers who sell stolen data on the black market.
They could also be state-sponsored. In 2011, Google said it discovered an attempt to steal passwords from Gmail users that may have originated in China.
For years now, companies have bought a variety of security software, hardware and services, expected to be a $67.2 billion market this year, according to Gartner. But while these tools block many phishing attempts, some harmful e-mails still slip through, largely because just as new defenses go up, hackers invent new ways to get around them.
No. 1 Threat
"It's an arms race," said Rod Rasmussen, a leading phishing expert and co-founder of IID, a security company. "We are just seeing more kinds of attacks coming from different angles."
As a result, phishing is seen by many as the biggest threat to company security today.
"In my estimation, it's the single greatest thing out there that fraudsters try to do," said Kim Jenny, risk and performance management officer at Pinnacle Financial Partners. "The truth of the matter is we believe it's the No. 1 job out there."
The Mobile, Social Factor
The new emphasis on training workers to avoid phishing traps is a nod toward changing times, as employees use their own, less-secure mobile devices for work applications such as e-mail. Meanwhile, those who use sites such as Facebook, LinkedIn and Twitter may be publicizing personal information that hackers can use to concoct convincing phishing e-mails.
"The classic technology-based controls have become less effective," said Andrew Walls, a research vice president at Gartner. "We need to focus on the behavior of employees."
Enter companies such as PhishMe, Wombat Security Technologies, Apozy and ThreatSim. They offer a variety of employee training programs, including re-enactments of real phishing threats, cartoonish games and Jeopardy-style quizzes.
"There are millions of products from companies, but there's a gap in human security," said Rick Deacon, CEO of Apozy.
Only about 15 to 20 percent of large companies currently offer anti-phishing simulations, estimated Rohyt Belani, CEO of PhishMe. But he said the market is picking up speed, which is reflected in his company’s forecast of a 100 percent increase in sales this year.
"Adoption rates are accelerating, but it's still the early days," he said.
The anti-phishing training typically allows the company to pick the type of a simulation to send out, such as e-mails requesting recipients to pick up a UPS package (which requires them to provide identifying information), reset a password or open an Excel spreadsheet with a list of company employees up for promotion. The services then provide training to those workers who failed the test by clicking on the e-mails and enclosed links.
Big Boss, Big Target
The phishing simulation e-mails are often sent throughout the year to keep employees on their toes, and can include executives, who make attractive targets because of their access to company data.
Last year, Bloomberg News reported how an executive at Coca-Cola fell for a phishing e-mail purporting to come from the CEO and containing broken English in the subject line: “Save power is save money! (from CEO).” By clicking on a harmful link in the message, the executive allowed hackers to burrow into Coca-Cola’s network and seek information about a big upcoming acquisition of a Chinese firm, a deal that later fell apart.
Wombat, which serves millions of users each year, charges between a few dollars and $75 per employee, depending on the product and company's size. PhishMe's licenses for small businesses with 200 of fewer employees start at about $10,000, according to the company. ThreatSim charges between $1 and $18 per user, depending on the number of workers.
Wombat CEO Joe Ferrara said many clients see a more than 80 percent reduction in susceptibility of their employees to phishing attacks after the training. The company was founded in 2008 by three faculty members at Carnegie Mellon University who lead the nation's largest research project on combatting phishing attacks with training and other methods.
The ongoing threat simulation approach stands in contrast with the annual anti-phishing seminars of the past.
"Historically, security-awareness training is done once a year, it's very boring," said Jeff LoSapio, CEO of ThreatSim, which counts General Dynamics as a customer. "It had little to no impact on employee behavior. The type of training here is for people who've done something bad. It's a teaching moment."