Blog

How Humans Play a Role in Email Phishing

Written by J Stephen Kowski | Jan 14, 2022

Separating Fact from Fiction

“Yeah, I get it, but I just don't trust users; they always screw everything up,” lamented the Director of IT, while on a recent sales call featuring our dynamic contextual awareness banners. His is not a unique viewpoint. Distrust in the capabilities of non-technical employees is a common perspective among technologists and one that I admit to once sharing. However, after spending most of my life in information technology and cybersecurity, I now realize employees are a critical, necessary element of every company’s security response, especially when it comes to email phishing.

 

In this article we will explore two timely, related topics: 1) the impact of this common perception within the cybersecurity purchasing group, and 2) how employees, when enabled properly, can be assets to their companies and meaningfully participate in the fight against email phishing.

 

Where does this mistrust of the user’s viewpoint come from and what challenges does it create when purchasing a cybersecurity tool?

 

My background tells me this view emerges from the everyday technologist experience. If you aren’t familiar, most of what a technologist sees are challenges. And literally every day, someone comes to you (virtually or otherwise) and drops their latest challenge on your desk. Now, it’s your challenge to understand and resolve.

 

A portion of these challenges are legitimate technological problems from a system (or set of systems) failing. Unfortunately, a reasonably large amount of time the root problem is operator error; i.e., the end-user doesn’t know how to use the immediate system, is unfamiliar with an underlying technology, or has made a mistake leading them to conclude (incorrectly) that the technology is broken. Seeing this dynamic daily for years results in a mistrust of non-technical employees in the minds of these same technologists.

 

This has a direct impact on the purchasing process. Organizations send their top technical minds to find a technology solution in the form of a tool. We can tell you from experience, these engineers are good at what they do, they put tools through their paces, they challenge our teams daily, and ask every question from every angle imaginable, except the most critical question: “What broader strategy underlies your approach to solve the problem of email phishing?” We’ve sent tool-oriented experts off to select the best tool, not the best strategy—and therein lies the problem.

 

Any given cybersecurity tool is only part of a broader overall security strategy, so companies often end up with an incomplete solution and can’t understand why the tool isn’t solving their problem. For email phishing, the reasoning is straightforward: phishing is a human and machine problem that inherently requires a combined human and machine solution. Anything else is incomplete.

 

When adequately enabled, what impact can users have?

First, let’s define “properly enabling employees” in an email phishing context, which consists of a few things:

  1. Training employees regularly on how attackers exploit individuals and companies
  2. Providing real-time awareness information only when a suspicious situation arises
  3. Allowing employees to protect their entire organization by initiating the Security Orchestration Automation and Response (SOAR) process quickly and easily.

For the sake of this article, we will assume training has already taken place and explore the dynamic of what happens when you provide real-time awareness to employees. Our data analysis team looked at the incidents in our Community, which is where we allow companies to share anonymized threat intelligence and central to the incorporation of user influence into our platform. Over the course of 2021, ~56% of all incidents were derived from our Community, and within that data, approximately 36 to 42% of those Community incidents came from direct user influence depending on the time of year.

What’s up with this 36 to 42% range? To understand, you’ll need a few additional facts:

  1. The email phishing threat is growing over time
  2. The threat is dynamic, changing week to week or even day to day
  3. Machine-learning capabilities improve over time.

In the first quarter of the year, user reporting made up ~42% of user-derived Community incidents and in the last three months, the number was ~36%. Does this mean users are reporting less? No. What looks like a decrease is showing instead that user reporting stayed relatively flat while our machine-learning detection methods increased because the volume of email threats grows throughout the year.

Despite the increasing volume and the efficacy of our machine learning, the end-users in aggregate have an enormous impact on our community incidents and on incidents as a whole.

How accurate are these user-sourced reports? Over the last year, in reports from users, at worst, only 7.69% turned out to be safe messages. The remainder were either unwanted spam or malicious phishing messages. This input means we expect user reports to be invaluable even when our machine learning efficacy increases. Put differently, when our machine learning techniques reach 99% accuracy, the one percent of user reports will still be a significant, necessary input to fully solve the problem of email phishing.

Let’s zoom in on the impact of one employee reporting suspicious mail. In short, a single user can have an exponential impact when utilizing our platform’s strategy and tools. When a user reports a suspicious email, this triggers the SOAR process, enlisting a company’s SOC analyst or Themis, our AI-based SOC analyst, to confirm the reported mail is indeed malicious.

While the confirmation process is ongoing our system smart clusters the same or similar malicious emails across every other mailbox into one singular incident. If confirmed, we instantly quarantine every message across the entire organization, notify every user, and add this intelligence to our broader Community to start looking for the same threat. All this came from one properly trained user with a single click.

 

Many hands make light(er) work

The key takeaway is to ensure we collectively focus on finding an effective, all-encompassing strategy, not just the latest tool with the neatest features. We must also pivot our perspective away from the idea that email phishing is a technology problem for IT to resolve in isolation. We need technology but we must also remain open-minded to the idea that this is a business risk problem, one where every single member of an organization has an ownership stake.

When we view employees as an asset instead of a liability and seek solutions that allow employees to engage meaningfully in the effort to solve the problem of email phishing, we will find sustained success.

 

To learn more about IRONSCALES’ fully integrated anti-phishing and security and awareness training solution, please sign up for a demo today at https://ironscales.com/get-a-demo/.