Fight the Spear Phishing Plague With a Strong Security Culture

Listen to this podcast on iTunes, Soundcloud or wherever you find your favorite content.

Last year, cybersecurity experts Paul Ferrillo and Chris Veltsos joined me to record a nine-part podcast series complementing the release of their book, “Take Back Control of Your Cybersecurity Now.” Now, Paul and Chris are back for a new series, “Deciphering Today’s Cyber Headlines,” where we talk about the latest security headlines dominating our news feeds.

IAM and Spear Phishing: Connect the Dots

To kick things off this episode, Paul and Chris remind us that identity and access management (IAM) and spear phishing are connected. When done well, IAM ensures the right people are using the right resources for the right reasons at the right time — boosting productivity and limiting cyber threats such as spear phishing. But companies continue to struggle with effective IAM and, despite education and awareness efforts, 10 percent of all spear phishing attacks still succeed.

Unfortunately, that’s not all the bad news: Spear phishing costs billions of lost hours and can lead to business email compromise (BEC). But the good news, Paul is quick to point out, is that robust email filtering systems can reduce the chance of compromise.

So, Does Security Training Help?

According to Chris, security works best when it “gets out of the way.” While users can act as effective “sensors,” companies shouldn’t dump the entire job of defense on users.

That said, both Paul and Chris advocate for thorough and frequent security training across organizations. More specifically, Paul recommends automated training tools that can deliver regular testing across multiple departments. He also speaks to the need for measurement and context. If an employee fails his or her security awareness training three times, the company should consider if that is evidence of a legitimate struggle to learn the material or an indicator that they might have a malicious insider in their midst.

Chris adds that it’s valuable to approach information security like a science experiment: Try different things, train non-tech staff and measure everything to see what works and what doesn’t.

IAM Solutions With UBA

Both Paul and Chris also recommend the use of IAM solutions that include user behavior analytics (UBA). This added security layer helps companies ensure users are who they say they are and are behaving in normal, predictable ways.

If they’re to have any chance of conquering the ongoing plague of spear phishing, companies must recognize the risk of bad actors online and own this problem in order to solve it. Veltsos puts it directly: There’s no security culture if protecting corporate data and assets is only the responsibility of a few people — everyone needs to be on board.

Ready to Learn More?

After you’ve listened to podcast on your favorite streaming service, check out the blog, “Identity Is the New Perimeter” and find out how IBM QRadar User Behavior Analytics gives users visibility into behavioral anomalies that may signal an active insider threat.

Never miss an episode! Subscribe to the SecurityIntelligence Podcast on iTunes

 

Mitch Mayne

Public Information Officer, IBM X-Force Threat Intelligence

Mitch is the Public Information Officer (PIO) for IBM Security X-Force Threat Intelligence, and is responsible for how...