By Russ Cohen
As a former “white hat hacker” helping businesses improve cybersecurity by illuminating areas of vulnerability, one of the more creative aspects of my job was crafting a convincing phishing attack. The objective was to construct an email that looked like it came from a reputable business partner, important customer, or senior executive, but with the malicious intent of enticing the unsuspecting recipient to unlock the door leading into the company’s internal network. Once we opened this door, the organization had a line of sight into how to improve its anti-phishing practices.
The stakes are high, given the nefarious intent of bad actors to disrupt ongoing business operations for financial gain, steal proprietary data such as engineering designs and blueprints, and bring down several organizations at once—creating global chaos. In many cyber-attacks, phishing served as a great door opener, accounting for 32% of all confirmed data breaches in 2018, according to the Verizon 2019 Data Breach Investigations Report.
As a major cyber risk insurer that helps our insureds find and retain various third-party cybersecurity service providers, we are in an opportune position to add our voice to this chorus in affirming the validity of these findings. The Chubb Cyber IndexSM, which tallies cyber-related insurance claims filed by our policyholders, indicates (as of this moment) that the records of 593,225,691 of our insureds have been exposed during the past 20 years. It’s not surprising that during the past three years, social threats, which include phishing, have been a top action causing cyber incidents. In just 2019 alone, for example, social threats accounted for 31% of actions that caused a cyber incident, versus 20% for human error and 18% for hacking, according to Chubb data.
Human Behaviors and Other Frailties
Phishing is often used as a primary attack method because it is relatively easy to create legitimate-looking emails and texts and to send said messages to trusting unsuspecting recipients. To paraphrase bank robber Willie Sutton, who robbed banks because “that’s where the money was,” hackers deploy phishing scams because that’s where the “phish” is—“phish” referring to individuals that take the bait and believe that a fraudulent email or text is legitimate.
With regards to texts, a growing number of studies indicate that phishing also occurs, with some rapidity, on mobile devices. Many people tend to have more faith in the validity of texts, rather than emails. However, the problem is that mobile devices, such as smartphones, are generally connected outside company firewalls and lack endpoint security.
It’s easy to blame everyday people for phishing’s alarming success rate, but the truth is more nuanced. Companies, and in particular their information security organizations, bear the burden of responsibly training employees, not just to identify a possible phishing attack, but also to report any potential evidence immediately. Simply deleting a suspicious email will not thwart the next phishing attack or do much to curtail this preferred hacking practice.
Incident reporting is a crucial component of cyber risk management. Our analysis of recent cyber-related claims indicates that nearly 40% of policyholders who called our hotline to report evidence of a cyber event, like phishing, ultimately were able to avoid additional losses when they filed a claim. This is because these insureds activated the available third-party incident response services to counter the situation and mitigate the outcome.
To help our customers reduce their exposure to losses stemming from a cyber-related incident, we maintain relationships with more than a dozen service partners. These cybersecurity experts assist our clients with cyber risk management, emergency data breach response services, and post-breach risk mitigation. The more cyber support an organization can access to recognize suspicious activity, such as phishing, and get assistance as soon as possible, the less likely they will endure a significant interruption in business causing potentially dire reputational damage or financial losses.
Undoubtedly, the first line of defense against phishing and other social engineering attacks is to educate employees via workshops, seminars, and one-on-one training. Employees have an individual responsibility to recognize and report suspicious activities. Phishing simulations—an authorized “pretend” phishing attack performed on a company’s behalf, but unknown to employees—is a diligent way for companies to understand and measure the effectiveness of their cyber risk education programs.
Other proactive defense measures include thinking as if you are a hacker. So-called “white hat hackers” know that in a spear phishing attack that targets an individual, the hacker will do everything possible to paint a profile of the target to build the most convincing phishing campaign. In this scenario, a hacker will delve into an individual’s social media comments and photographs to learn where they shop, what they buy, and the names of work colleagues, especially superiors. By subsequently performing an authorized spear phishing simulation against an unsuspecting employee who thinks that their role would not make them a target, everyone has a better appreciation for the fact that anybody can be a target.
With regard to the first line of offense, it is essential for companies to provide employees with a single point of contact, such as a phone number or email address, to report cyber incidents requiring urgent attention. Something so simple has enormous value to a company’s IT security operations and incident response teams—whose days are usually spent searching networks and systems for suspicious activities. Having a single point of contact for employees helps narrow this search, freeing security professionals to focus on incident response actions.
It’s also important for all businesses to stress that a hotline is not just a tool for reporting evidence of possible phishing attempts—it is critical that employees use it to report when they are duped by phishing scams. This way, the individual is not penalized for the error and security teams have advance notice in order to respond to the cyber incident and contain any potential damage.
Everybody makes mistakes when it comes to phishing, even executives. Ensuring all employees realize they can be scammed and that they should report their mistakes is crucial in mobilizing an effective response.
About the Author
Russ Cohen serves as Chubb’s Vice President of Cyber Services, managing all policyholder services associated with the company’s pre- and post-incident cyber services, as well as supporting innovations in underwriting, data analytics, and predictive modeling associated with enterprise cybersecurity risks.