Warnings about spear-phishing attacks are ubiquitous in enterprise cybersecurity awareness programs. Posters line government agency hallways warning users not to click strange links. Security teams include stories in agency newsletters warning of the risks associated with email messages from unknown senders. But unfortunately, experience consistently shows that these warnings simply aren’t effective enough, and that users will still click on links in spear-phishing attack messages out of curiosity, ignorance or simple naivete.
In August 2016, German researchers used the infamous BlackHat security conference as a platform to announce the findings of a study on spear-phishing attacks. Researchers used both email and Facebook to reach out to targets using fake names that were likely to sound familiar. The message promised that if the recipient clicked a link, they would see pictures from a party the previous weekend. The results? Despite the fact that 78 percent of recipients stated in a survey that they were aware of the risks of clicking unknown links, 56 percent of email recipients and 40 percent of Facebook recipients clicked the link anyway.
Spear-Phishing Attacks Pose Danger to Entire Company
Enterprise security teams have much to learn from this study. First, the security risk posed by spear-phishing attacks is significant. One individual clicking a malicious link can single-handedly jeopardize the security of the entire organization. The results of this study show that the likelihood of a well-crafted spear-phishing message successfully generating clicks is very high. Users must understand the dangers posed by spear-phishing and view every message they receive with caution. They must also understand that visiting malicious sites endangers the entire organization and may violate corporate security policy.
Strong Security Policies and Technologies Are Crucial
The second lesson from this study is that security awareness programs can’t stand alone. A large group of individuals targeted acknowledged that they knew they shouldn’t click suspicious links, but that didn’t stop them from doing so anyway. Users who clicked the link stated that they were curious about the pictures, thought they knew the sender or had indeed been to a party the previous week. Even the most effective cybersecurity awareness program can’t combat these reactions to natural coincidences. In a spear-phishing attack, adversaries attempt to play the numbers and often do so successfully.
Agencies must complement their awareness efforts with a strong corporate security policy and technologies that filter out unwanted messages and protect devices from compromise even if a user does click a suspicious link. These technologies must extend to mobile devices as well, as a June 2016 Experian study found that 58 percent of all email opens occurred on mobile phones or tablets. Agencies must understand this when building their security controls. It’s more likely that a user making the split-second decision about clicking a link is sitting on their couch watching television than using a computer in the office.
Samsung Knox provides government agencies with a multilayered approach to mobile device security. Built in to Samsung’s Galaxy smartphones and tablets, Knox ensures that the integrity of the device cannot be undermined, with a secure vault for security certificates and encryption keys, and hardware-based security for remote access and wireless connections. Together, these components deliver a trusted computing environment for enterprise data. The built-in Knox platform is complemented by a number of optional security products, including Knox Workspace, a containerization solution that allows IT to separate and secure enterprise data and applications on employees’ devices.
Even if a user clicks a malicious link, the attacker won’t be able to penetrate the secure zone and gain access to sensitive information. This multilayed approach helps to mitigate the risk of spear-phishing attacks, in spite of employees’ almost uncontrollable urge to click that link.
Overall, spear-phishing attacks increased by 55 percent in 2015, with spear-phishing now the method of choice for many attackers.