With phishing still the preferred mode of attack for most hackers, it’s well past time to move beyond the simple email alert as the main way of telling employees not to click on suspicious emails. In this episode of CPA Conversations, Eldon Sprickerhoff, founder and chief innovation officer for eSentire, says firms and companies must consider detailed cybersecurity training for all employees.
By: Bill Hayes, Pennsylvania CPA Journal Managing Editor
For many companies, the drill that takes place when a phishing email attempt occurs is common. The IT staff lets everyone know that they might see a phishing email and everyone tries as best as possible not to click on the suspect link. But with phishing emails becoming ever more sophisticated and the importance of data security becoming more and more essential with increased digitization, it may be time to take better precautions. In today's episode of CPA Conversations, we'll talk about one of those precautions, detailed cybersecurity training for all employees, with Eldon Sprickerhoff, founder and chief innovation officer for cybersecurity company, eSentire.
What would you say are the most popular current trends or ways by which hackers are attempting to gain access to organizational data? Are we still talking about phishing attacks or is there something more sophisticated?
[Sprickerhoff] The vast majority of successful attacks that we see do come still from a phishing vector. It's still the most common and the most simple, but still effective. And I think the biggest things that we're seeing are not necessarily from a sophisticated intent but the presentation themselves. So we're seeing a lot of things that, if I go back a few years, it was very obvious to even the layman that this was phishing. Spelling mistakes or very poor graphics, things that were put together. They look as real as the legitimate emails that would come out from different services and different vendors.
The things that we see that are most successful across all industries so far this year are things like DocuSign, Office 365, and One Drive. So these are broadly used both personally and in business so when you don't have the telltale signs that obviously looks boring, it makes it even easier for people to get infected.
Are there current numbers out there on how popular a target accounting firms, and I guess the accounting industry at large are, for attempted hacks? Is it a growing number and how does it rank with other industries?
[Sprickerhoff] So we are just putting together our thread alert for 2018 across industries and last year, from raw vertical numbers of attacks we saw, accounting was number one. Right now, it looks like accounting has fallen to number two where education is number one now. And that's good, but it's still ahead of things like construction and real estate for raw attacks that we've seen.
So I think education this year has beaten accounting only because it's broader. There's usually more students that you see that are considered a richer target of attack.
When it comes to identifying a phishing email, and as we've sort of stated here, they've become more and more sophisticated, are there standard tactics to employ or telltale signs to be found in them?
[Sprickerhoff] Because they look so much better than usual, I say you typically have to look at every inbound email with a sort of healthy dose of skepticism, especially when you see things like the three main phishing vectors that are successful these days. So DocuSign, Office 365, and One Drive, you basically have to follow through these four bullet points that we've seen. So you verify the origin of the document is legitimate. Verify the sender’s name and address. Verify that the service itself is used in the organization. If you're not using Office 365, then you shouldn't be giving credentials to said service and ensure that the signature itself is expected within that email. You can't just look at it because the graphics line up, make that assumption that it's good.
As I stated in the intro, a lot of times people learn about a phishing attempt from their IT person. It's an email that says something along the lines of “There's a phishing email going around. Please don't click on it.” But are we at a time when, with the sophistication being where it's at, that we need to have a larger-scale, security training so people can be a bit more proactive about it?
[Sprickerhoff] Because the thread vector is so rampant no matter what size of the firm that you're in, it's highly recommended that you do have some kind of training that goes around. There's nothing wrong with people warning, “Here I've got this email that's known as phishing. Don't click on it.” Usually by the time that email goes around, it's too late and somebody already has clicked on it. Whether or not they give credentials. The sophisticated nature is there. It's not necessarily just asking for credentials. It could have malware embedded in it as well. It's important that people, again, are inoculated with skepticism when they're looking at inbound email.
A security training such as this: What would it usually entail? What are the people who go to it going to learn?
[Sprickerhoff] Typically what you'd really want from a security training is not just 30 to 50 minutes of “Don't click that, don't click this.” That's a little repetitive. What we typically would recommend is that you get a peek behind the wall and what actually happens when somebody clicks that, and get a sense for how important it is that you don't click that. That you recognize this thing and if you do click on something by accident, how do you escalate that to the IT department so you can minimize the damage. I say the attachments are meant to be opened, emails are meant to be opened. So it's not possible to completely inoculate people from this. It's simply not possible. So you try to minimize the damage.
Show people what's actually going on behind the scenes. What happens when you do click that in a controlled environment or from a video perspective so they get a better appreciation of why it's so important to not click on it, and then if something happens to be able to respond quickly. I think one of the things that we find is that there are certain industries where there is compliance paperwork that needs to be filed on an annual basis. If you can fold some of that into that same process, it can help with people recognizing that this was a problem last year, it's still a problem, and be able to move forward.
The thing that we're certainly establishing here is that these threats, they're always sort of changing and evolving. Would this be a training that would go on one time? Maybe during, say, the orientation for new hires, or does the evolving nature of these threats dictate the training should be ongoing?
[Sprickerhoff] You know, I don't think you're gonna get a lot of success with one and done, especially when the threats and the vectors inbound change on a regular basis. We've seen in the last couple of years more sort of malicious documents, sort of fake invoices and things like this that we see come up. So there is a need for updated training. Again, not just “Don't click this.” Saying “don't click this” for 30 minutes is not going to be helpful. Whether it's once or repeated. It's important that you get a sense for what kind of real threats are seen in that vertical in the company itself, and be able to well describe what should be done in a response.
If there's a group that's responsible for invoices. There should be a process that specific for them that says this is the method by which we're going to process invoices. So they're segregated from the rest of the business. If they do get infected, it doesn't spread throughout the company.
Things like HR, which will be getting inbound documents. How do they deal with that kind of malicious document that could be coming through as well? So it's best when it's tailored. I think it's best when you have a combination of sort of online training and ideally someone who's there that's done it in person, so they can provide answers very quickly and for very specific questions that might come up. Not everybody is a cybersecurity expert. So there's the ability to ask questions in an open forum and we find gets a lot of valuable feedback throughout the organization.
I think the other thing to consider is having regular phishing tests that sort of tests shortly after the training that happened how much was absorbed by the people that were in attendance. Usually the first phishing test that goes on after training is pretty terrible, but with added tests that come out, you can see where the trending is toward improvement and you really never get to 0% but the trend is you hope it will improve.
You touched on this a little bit there: You'd say the best way to present these trainings would be a combination and an in-person type training but also an online element to it as well? The in-person, as I believe you said, would be to answer some questions if people have them. Is that the best way you think it would be presented?
[Sprickerhoff] If the budget permits, it's definitely the better way. Basically the online is for the broad strokes and the in-person is for more the specific details. You know, questions that might come out.
How urgent should firms be treating this matter, do you think? Is it a problem that in general gets treated seriously enough by firms?
I think there's a broad feeling that it is important but not necessarily as critical as we've seen. Technology, email, attachment scanning, and things like this, there's better tech than there was five plus years ago. But there's still bad things that get through and ransomware is still a problem. And that's generally spread through phishing emails. There's no tech that totally fixes the problem. It's important that you keep in mind that this is something that can basically provide an internal denial of service against your company if the wrong person opens at the wrong time.