Working as a cybersecurity warrior has its perks. We’re on the front lines of an increasingly critical and dynamic battlefield, pitting increasingly sophisticated threats against increasingly sophisticated defenses. We’re doing important work, and it can be very rewarding.
Except when it’s not. Every once in a while you just want to bang your head against a wall.
Anti-phishing is a great example. Many organizations are in the process of migrating to Office 365, and security teams are being forced to rethink how to protect users from this type of threat as email moves from behind the firewall in a controlled data center to the cloud. On the surface, there’s nothing technically savvy about most phishing attacks. They’re just an email mocked up to look and feel like a legitimate communication from a known individual or brand. A trusting user clicks on a seemingly authentic link, and presto, user credentials are compromised or malware downloads itself on their device, eventually worming its way onto the network to infect your business systems.
The magic sauce, as it were, is in the way phishing attacks are branded. Attackers are doing their homework by researching targets on social media, message boards, media reports, and other online sources to find hyperspecific ways to manipulate human nature and emotions. They use people’s fears, their sense of urgency or curiosity, or their need for reward, validation, or an entertaining distraction.
If you dig into cybersecurity stats, you’ll find both encouraging and discouraging trends. The bad news is that 12 percent of users will open a phishing email. That’s high. The good news is that only 4 percent will click on a malicious link in a phishing email—meaning that users are getting harder to fool when they have a fake email staring at them in their inbox.
The problem is that those 4 percent of users will continue to get fooled over and over again—no matter how much anti-phishing training you provide. They’re either too trusting or too naive, or they simply don’t care. And that can be frustrating, because it takes only one click or one fake web form to infiltrate your systems. Head meet wall.
The scary thing is that phishing attacks are getting more sophisticated and democratic. It doesn’t take much skill or budget to craft a legitimate-looking email from Bank of America, Google, or the Humane Society of Marin County. Paste a logo here, copy some compelling text there, and add a bogus link. Virtually anyone can do that.
So, what can organizations do to protect users from themselves?
The answer is isolation. Rather than rely on users to police themselves or trust that your threat intelligence sources are able to detect every phishing attempt before users have a chance to click, organizations should simply take a zero-trust approach to cybersecurity. All web traffic—whether it is deemed risky or not—should be fetched and executed in a safe, cloud-based environment far from users’ devices. Any damage from malware contained in a phishing link is therefore limited to a remote isolation platform, which is seamlessly integrated in a single cloud isolation gateway that delivers both web security and advanced threat email security.
This zero-trust approach takes anti-phishing responsibility out of the hands of users. They can open any email they want and click on any link—essentially gaining unfettered access to the Internet. They can do their job without having to constantly wonder if they are one click away from being a victim.
And where does that leave you, the cybersecurity warrior fighting the good fight? You’re right where you want to be: working hard on your organization’s behalf against increasingly sophisticated opponents who are willing to do anything to fool your users into unintentionally inviting them onto your network. But now, with isolation in your arsenal, their tricks don’t matter anymore. Even if they are successful, access is shut off, and they are prevented from ever getting close to users’ endpoints.
The door has been slammed shut.
*** This is a Security Bloggers Network syndicated blog from Menlo Security Blog authored by Mehul Patel. Read the original post at: https://www.menlosecurity.com/blog/only-4-percent-of-users-click-on-phishing-emails.-yet-those-4-percent-never-learn