Youโve trained, warned and threatened staff not to click on suspicious email attachment, and they still do it. Employees seem dense. Even the C-suite fail tests. You think thereโs no hope for them or of stopping staff from falling for phishing.
Congratulations, youโre in good company: Senior security officials at two of the countryโs biggest banks think so too.
โWhat Iโve learned is you canโt fix stupid,โ Manish Khera, director of data protection, security consulting and application security at RBC Capital Markets said Thursday at the SC Congress security conference in Toronto.
Some employees delete phishing email, he said, but others click and when nothing happens (because the malware is quietly downloading behind the screen) they reply to the sender, who sends another link โ or the staffer forwards the message to their home.
โWe have to get to a place where we are OK with stopping business processes, with breaking things for the safety of our assets and the company,โ he said. โUntil we get to that point I donโt think we can win this battle.โ
Jeff Stark, director of cyber security at CIBC, agreed. โItโs not the end of the world (to briefly delay messages), an email can be re-sent. That would go a long way to help us as security practitioners to put in solutions that actually solve the problem properly instead of weakening our security controls.โ
But he said at previous posts when he told management there could be a five minute delay for some messages that are being scanned โthe business loses their minds.โ
User awareness training doesnโt work, he added โ in fact he thinks it should be abandoned โ although later organizations should keep it up, but that heโs lost faith in its effectiveness. Stark noted that when he asks employees how they can improve training, the majority say, โโWe donโt care. My job is in marketing or finance. We click. Youโre the security guy: Protect me.โโ
Even Khera admitted thatโs his wifeโs attitude.
RBC does monthly phishing tests and awareness training, Khera said, and tracks click response with some success. But he suggested some people are hopeless โ he gives up on those who click on bad test email six times or more.
Itโs long been known, Stark said that email, โis the best threat vector to get into an organization, and I thought this was or should have been solved many years ago, and it turns out that itโs not. And Iโm still baffled about why weโre still having these discussions.โ
But also he believes many IT departments arenโt performing basic message hygene, such as deleting executable attachments, or following proper procedures. Thatโs why the increasingly common spoofed CEO email telling a staffer to transfer money isnโt getting caught โYou should never have an inbound message from your own company coming from the Internet,โ Stark said.
โTo me the problem has been solved, weโre just not executing properly as security practitioners.โ
He went further, saying infosec pros havenโt implemented basic security across their entire stacks. Then they add more tools โ which arenโt configured right โ and they wonder why malware still goes through.
When one conference attendee suggested giving employees more time to let awareness training sink in, Khera agreed, but admits it will still take years. But Stark noted security awareness training has been going on for the past 20 years.
All this prompted one attendee to argue that if Stark and Khera, with their large security budgets, see things as hopeless, what hope is there for smaller companies?
They may be better off, Stark suggested. His last job was at virtual bank ING [now owned by Scotiabank], which, with 200 employees, was nimbler than CIBCโs 48,000 workforce spread around the world.
Audience members tossed out a number of possible solutions, including shaming repeat offenders. But, countered Stark, you want end users to trust and work with the security team and call in to report suspicious activity.
But he did say one training tactic heโs tried has had some impact: Deception. Stark has placed a โProtect your Kids Online,โ slide show on CIBCโs Lunch And Learn program. Itโs voluntary, not mandatory, and while parents pick up tips aimed at their children the message also sinks in to them.
He also urged infosec pros to frame email scanning strategies in financial savings terms: Re-imaging an infected PC, for example might cost $500. Multiply that times the number of devices that have to be remediated each month and it will add up. Cutting into that saves the enterprise money.
โI tell our team weโre not just security people, weโre marketing people and we market what we need to do to executives to get the money we need. You have to be able to sell your solutions to management.โ
Stark insisted that thorough scanning of email is the solution, although there may be a small price. But, he said, โif we can set the expectation that not every message is going to be delayed five minutes โฆ then you can move forward with the solution.โ
However, Kherea said technology isnโt the answer. โWe have to make a risk-aware culture such that weโre all responsibleโ for security. โWe havenโt done a good job in that.โ