You don’t know what you don’t know . . .so who is responsible for teaching us?
I was browsing through Twitter on the weekend and a tweet by Gmail caught my attention. Not because of the content of the tweet. But because of the comments on that tweet. Many people replied to Google complaining that their account had been hacked and they no longer had access to their emails.
An email compromise is a serious problem, not only for individuals but for businesses as well. The recent Australian Cyber Security Centre (ACSC) threat report stated that more than 4,600 email accounts had been compromised, costing our economy over AU$81 million.
In September 2020, an Australian hedge fund was subject to a business email compromise and forced to declare bankruptcy as a result. The email compromise involved false invoices with the company transferring AU$8.7 million to bank accounts controlled by the offenders. While the business recovered most of its funds, it suffered significant reputational damage and its main clients withdrew. This forced the hedge fund to go into receivership and resulted in its bankruptcy. This is likely Australia’s first bankruptcy case as a direct result of a cyber crime incident.
The example above made me wonder what we can do to protect Australians and their businesses from such a serious threat! I decided to put on my six-sigma hat and apply the ‘five whys’ interrogative technique to explore the cause-and-effect relationships underlying this problem and identify ways to solve its root cause.
First – Why was the email account compromised?
Email compromise often involves cyber criminals compromising a business or personal email account using emails that can get past security and technical controls, such as anti-virus programs and spam filters. These emails use different techniques, such as notifying the user that their password has expired and directing them to click a link to keep their password. The link leads the user to a spoofed login page designed to harvest their credentials. These emails are called credential phishing emails.
The email account was compromised because the user received a phishing email asking the user to click on a malicious link. And, the user clicked on that link and willingly provided the email account credentials.
Second – Why did the user click on the link in the credential phishing email?
Credential phishing emails are typically crafted to trick the user into clicking on the malicious link. They can look incredibly authentic and convincing, replicating legitimate messages from trusted senders.
These emails typically include official-looking logos and disclaimers to demonstrate authority. They urge the user to click on the link and give a limited time to respond or evoke emotions such as panic, fear, hope or curiosity. In some cases, they offer something in short supply.
In all cases, these emails include a ‘call to action’ and are written to drive the user’s attention away from considering any threat and fall for the credential phishing emails.
Third – Why did the user fall for the credential phishing email?
Users remain the weakest link in IT security and they are considered low hanging fruits for cyber criminals. The users fall for credential phishing emails because they don’t understand the risks associated. So, when they receive such emails, they click before thinking.
Fourth – Why aren’t the users aware of the risks associated with credential phishing emails?
Users aren’t educated about cyber security risks and are not trained to recognise such emails. We can’t expect the users to know what threats exist or what to do about them independently. They need to be taught what the risks are, what clues to look for that indicate threats and how to respond when they see them. This is called security education.
Security education is needed to equip users with information to protect themselves and their organisation’s assets from loss or harm. Security education is the only way to arm users with the knowledge to combat cyber security threats.
Fifth – Why were the users not trained?
People who work in big corporations attend cyber security awareness training. Thus, they are equipped with the knowledge to protect themselves and their organisations.
Think about the employees in small and medium businesses that haven’t been made aware of cyber security threats. Many companies of this size don’t conduct any cyber security awareness training for their employees.
Aside from professional life, cyber security education is not given to users as part of their education in school or universities. Hence, we end up with users who easily fall for credential phishing emails and other cyber security threats that can cause harm for individuals as well as for businesses.
Root Cause Analysis
So, from the above analysis, it is clear that the root cause for the email account compromise is the lack of security education to equip users with the knowledge to understand and respond to cyber security threats.
The solution might seem obvious, and that is to give everyone cyber security education training. However, this education is not a one-time activity. Cyber security threats are continuously emerging and so continuous education is required. That’s why large corporations conduct frequent training campaigns.
However, not all people work in large corporations, nor can we force all businesses to conduct cyber security training for their employees. Cyber security education is something that needs to happen as part of all people’s education journey. This will produce a generation able to protect Australians and their businesses from cyber threats.
Education alone is not enough. Phishing security testing is also an important step. This testing involves sending simulated phishing emails to mimic actual phishing attacks and teach users how to stay alert. These tests need to be regularly performed and included in the education system.
Security education and phishing security testing work! The results of the 2021 KnowBe4 Phishing Industry Benchmarking Report clearly show where organisations’ Phish-prone percentages started and where they ended up after at least 12 months of regular testing and security education.
The overall industry initial Phish-prone percentage was a troubling 31.4%. Fortunately, the data showed that this 31.4% could be almost halved to 16.4% within 90 days of deploying new-school security education. The One-Year results show that the final Phish-prone percentage can be minimized to 4.8% on average by following these best practices.
So, if it works for companies, it can work for our nation! I would argue that cyber education needs to start as early as the first year of high school. This is important, especially with the increased use of the internet in the education process and our daily lives.
Enrolling our students in this process early will produce a generation that understands and appreciates cyber threats. So, whether they run a business in the future or work for another, they’ll be advocates for cyber education, and they’ll raise awareness of its importance.
Click here for more information on cyber security in the education sector.
Written by: Mouaz Alnouri