A two-pronged approach beyond an organisation’s perimeter can strengthen its cyber security, writes Carl Wearn, head of e-crime, and Nick Riley, emerging technology manager at Mimecast
Most data threats to the public sector come from attacks on people rather than the organisations, and it requires a new approach to mitigating the threat.
Figures from the Information Commissioner’s Office on UK incidents over the first half of 2020 show that within public sector organisations over 80% of reported incidents were classified as 'non-cyber'. The majority of all incidents came from inadvertent disclosure of data, and the trend has been for malicious action to be targeted at end users rather than the organisations. It’s not about ‘damage and destroy’ but obtaining personal details on people for the creation of false personas.
Probably the most valuable information an actor can obtain from an individual is a national insurance, NHS or passport number, and data thieves have become clever at deceiving people into giving up these details. They are sending emails with false domains and links to websites to persuade the public, and public sector employees, to enter information that can be abused.
Mimecast has seen the threat shift outside the perimeter towards citizens, where it requires more than traditional cyber defences, and has developed a two-pronged strategy to raise the level of protection.
One element revolves around predictive risk analysis of end users, trying to understand who is vulnerable before they make a mistake. This involves integrating an organisation’s email gateway and training platform, which helps admins to identify who could need support and to gain an understanding of risk based on the theory and the real world. This contrasts to the situation when they are segregated and it is not possible to cross-correlate the two, which makes it harder to understand how the details of threats are changing.
This can be followed up with situational based training so people can learn to spot potential threats and understand what they should do in response. It is better to offer this before an incident, when the user is more likely to take everything onboard, rather than after when it can be perceived as a punishment.
Our awareness training has helped to greatly increase employees’ knowledge of security issues and how to respond, helping to change an organisation’s culture towards security and making a big contribution to preventing the inadvertent disclosure of data.
The other element involves threat hunting, building an understanding of when an attack can take place beyond the organisation’s perimeter. It often occurs through emails with keywords that attract people’s attention and a similar domain, encouraging them to click on a link that takes them to a website that looks credible, then luring them into providing personal details.
This amounts to the weaponisation of the keyboard and has become more prevalent since the outbreak of Covid-19, which has made many people more susceptible to opening emails that pretend to be part of a response to the pandemic. We have seen from our email gateway that there has been a growth from 0.02% to 0.05% in clicks per user over the past six months.
In response, the Mimecast Safe Phish tool combines the theory of cyber threats with real world experiences to identify the keywords and malicious domains, providing targeted threat protection that blocks staff access to dangerous URLs, and alerts on clicks that violate policy.
It also provides the information to a template for phish testing that is based on real threats, with keywords, subject lines and graphics that are more likely to attract clicks.
This combines with a record of clicks to develop risk assessment scores for individuals and the organisation. The latter can be benchmarked against other organisations, taking into account factors such as the number of users, the field in which it operates and its location. It helps to provide a deeper understanding of its people’s awareness and the strength of its defences against a threat.
All of this can feed into a proactive security culture that over time makes an organisation less of a target. The fact is that many hackers can be pretty lazy and, if you can make yourself a difficult target by blocking access to their domains and preventing people from sending emails to them, they will likely move on to another easier potential target.
Threats are always evolving and organisations can never stand still in facing up to them, but the right culture is a prerequisite and this approach can do lot to protect against that weaponisation of the keyboard.
Learn more about the Mimecast cloud based cyber security and resilience platform at www.mimecast.com.