• | 8:00 am

A hacker’s remorse for her (unintended) victims

Blaming users for cyberattacks can have tremendous negative consequences. Not only on the specific individual who fell prey, but also on creating a culture of fear and mistrust.

A hacker’s remorse for her (unintended) victims
[Source photo: akinbostanci/Getty Images]

I’ve got the job I’ve always wanted, but I constantly feel guilty because of the unintended consequences. I’m a professional people hacker and get to play the role of a bad guy without the legal repercussions. Odds are, your company hired me to break in and test their systems and its employee’s readiness.

My go-to tool is phishing and other types of social engineering attacks to help businesses find weaknesses before an attacker has a chance to. The goal is to give companies a head start in defending against real-life attacks. One of my biggest fears, and an unfortunate outcome of my work, is that an employee may be fired after failing a simulated attack. It’s a long-standing approach to handling data breaches that businesses need to give up on, and it happens more often than you think.

Recent studies, such as the one conducted by Tessian, have shown that one in four employees have lost their jobs due to security breaches. Punishing employees for falling victim to phishing scams is not the solution. This type of blame game only serves to perpetuate the issue, rather than finding a more effective way to address the root causes of the problem. The reality is, phishing has been a successful form of attack for over three decades, and simply blaming employees for not being knowledgeable enough is not going to solve the problem.

Threats are growing more pervasive, and sophisticated by the day, even cybersecurity professionals fall victim. With Phishing 3.0 around the corner, it’s pivotal that businesses move beyond what feels comfortable and start embracing a new approach.

SAME PHISH, DIFFERENT HOOK

Cybercriminals have been launching phishing attacks since the early days of the internet, long before many IT and cybersecurity professionals even started their career. Over its 30-year history, phishing has undergone a significant transformation and has recently become a much more intricate and challenging threat.

In 2022, an IBM report uncovered a striking 100% increase in a specific form of phishing known as “thread hijacking.” This tactic involves hackers infiltrating an individual’s email account and impersonating them by replying to recent emails with their contacts. Sound familiar? This tactic is like the impersonation scams that have become widespread on social media, where scammers create fake profiles to deceive the profile owner’s connections. By leveraging the trust already established with that connection, the attacker strikes when defenses are down.

And ChatGPT is poised to make phishing attacks even harder to detect. In the few months since its launch, hackers have already started utilizing ChatGPT to produce more realistic-sounding emails. You can no longer simply rely on the rule that a phishing email will contain bad grammar.

It’s clear that we’re nearing a new era of “Phishing 3.0,” and unfortunately, most individuals and organizations are not prepared to defend against these increasingly sophisticated attacks. Here are three ways businesses can start to adopt a more productive strategy to combat the latest social engineering attacks.

LAUNCH 2.0, A SECURITY TRAINING PROGRAM

The fact is the workforce is not aware of the latest tactics and techniques cybercriminals are employing to infiltrate businesses. In fact, attackers are constantly innovating and finding new ways to evade detection, which is why now more than ever, employers must upskill their workforce to match the accelerated growth and sophistication of social engineering attacks.

Businesses can take a page from the cybercriminal “playbook,” when training up and preparing their workforce for the threats of today, and what’s rounding the corner. This includes helping workers understand how cybercriminals launch attacks, why they are so successful, and some of the latest tactics and techniques they are employing. By understanding why and how attackers are so successful, people can be better prepared to spot the next simulated or real phishing attack. Cybercriminals have been using psychology against us over the last 30 years, it is time to flip the script.

DEPLOY AND EVALUATE TECHNOLOGY

Education is essential, but ensuring the right technology is available and deployed to help mitigate attacks is just as important today. In 2021, our IBM study found that 67% of businesses were breached more than once. No business today is impenetrable. That’s why having the right technology in place to detect, respond and prevent an attack is so important.

But it’s not a one-time exercise. Technology should be evaluated constantly to match the pace of threats we’re facing today. Run simulations against them, and constantly test and tune based on the latest threats.

FOCUS ON THE ROOT CAUSE

To prevent incidents from happening in the future, it’s important to understand the root cause. This may involve a combination of technical, procedural, and human factors, so a comprehensive approach is necessary to identify all potential causes. To stop history from repeating itself we need to study our mistakes. Analyze all the points of failure involved in the cyberattack, not just the initial “click” or point of compromise.

Blaming users for cyberattacks can have tremendous negative consequences. Not only on the specific individual who fell prey, but also on creating a culture of fear and mistrust. Ultimately, by adopting this approach you may discourage people from reporting incidents or sharing information about potential threats, making it even more difficult for organizations to effectively prevent, detect, and respond to incidents.

That’s why it’s important that we finally put an end to the blame game and start focusing on having the right technology, training, and analysis in place to help protect employees from falling victim in the first place.

  Be in the Know. Subscribe to our Newsletters.

ABOUT THE AUTHOR

Stephanie Carruthers is the chief people hacker at IBM Security. More

More Top Stories:

FROM OUR PARTNERS

Brands That Matter
Brands That Matter