Companies must use both employee training and advanced technology to prevent successful email phishing attacks.
Warren Buffet, one of the richest and most respected businessmen in the world, said recently that cyberattacks are a bigger threat to humanity than nuclear weapons. From a small dam in New York to France’s presidential campaign, organizations of all sizes are increasingly being targeted by cyberattacks, and the threats will no doubt continue to proliferate in complexity, scale and frequency. In fact, the most recent major attack involved a new ransomware strain, dubbed WannaCry, has infected tens of thousands of systems across 74 countries and counting.
One of the most common attack vectors used today is phishing, in which cybercriminals use email or other communication channels, such as SMS and social media, to trick their victims into downloading a malicious attachment or clicking on a fraudulent website as a means to obtain compromising information. Because it’s much easier to induce an employee to click on a link than it is to exploit more secure vectors, phishing now accounts for 95 percent of all successful cyberattacks worldwide.
With cybercrime replacing the drug trade as the most lucrative criminal enterprise, the cybersecurity market is booming. In fact, according to Cybersecurity Ventures, global cybersecurity spending will exceed $1 trillion cumulatively over the next five years. With the massive number of cyber defenses, strategies and services available today, it begs the question – where should organizations really be focusing their cybersecurity budget to most effectively detect, prevent and mitigate cyberattacks
Some organizations are choosing to invest heavily in employee awareness and training, believing the human layer is the first line of defense. Others are implementing next-gen cybersecurity technology to replace what they consider the weakest link, the human layer, making technology the first line of defense. But what most of the cybersecurity industry and many organizations don’t yet fully understand, is that to truly minimize the risk of email phishing attacks, machines and humans must continuously work together.
The Problem with an Either/Or Approach
Because humans have surpassed machines as the top target for cybercriminals, organizations spend significant time and resources on education and awareness training to protect employees, customers, third-party vendors, and the corporate network from phishing attacks. This method typically expects employees to identify any suspicious emails and report them to security team. Though the reports can be triaged based on severity, the security team still must manually analyze and respond to them in the order that are received.
When factoring in human error, the shortage of cybersecurity professionals, and the length of the manual response process, the time from identification to remediation can be up to several weeks or longer – leaving the hacker with free reign to roam the networks and steal corporate proprietary and customer information without consequence.
In addition, no matter how many training sessions an employee goes to, he or she is all but bound to open a bad email eventually. In fact, according to the most recent IBM Security Officer Assessment, “95 percent of information security incidents involve human error.” Because of the reliance on employees to report attacks, and the burden put on security teams to remediate them, organizations that rely on human intelligence as a lead defense are likely to remain a primary target for phishing attacks.
However, some forward-thinking cybersecurity companies are beginning to replace the manual remediation process with automation. By using machine learning (ML), for example, security teams can continuously accumulate information about new attacks and automate responses to learned attacks. However, advanced technologies like ML can create a false sense of security, where organizations mistakenly believe it to be an all-encompassing solution and not take any additional defense measures.
In addition, ML models need constant training input, so employees will still need to intervene to identify, report and remediate new attacks that are unknown to the technology. As such, organizations must understand that they can’t just implement a new cybersecurity solution and expect it to prevent all phishing attacks on its own.
Simply put, the either/or approach to phishing mitigation will leave organizations vulnerable to modern day phishing attacks. Employees are human, and it’s likely that one will click on one of the hundreds of phishing emails sent each day and technology, while continuously advancing in intelligence, still requires a human touch. Therefore, companies must use both employee training and advanced technology to cover their bases and more effectively prevent successful phishing attacks.
ML + Human Intelligence: The Best of Both Worlds
Through efficient and ongoing awareness and training, educated and cyber-savvy employees have the unique ability to serve as both front and back defenses. However, phishing attacks are getting harder to spot, more time-consuming to analyze and costly to remediate.
To fill the gap, ML can supplement human intelligence by learning every employees’ mailbox individually and immediately triggering a response to irregular communications. So, whether or not a human reports an email attack or is tricked by one, machines can start working to minimize any damage and destruction before it’s too late. By incorporating both employee training and ML into a defense in depth strategy, organizations can expedite the time from attack to remediation and reduce the risk of falling victim altogether.
Ultimately, email security will continue to prove burdensome for organizations that do not value the machine-human collaboration. But based on the time sensitivity and complexity of email phishing remediation, the combination of the two is the only way to implement meaningful change to the email phishing attacks that propagate the majority of hacks.