None of us are immune to falling victim to a phishing attack (a tactic used to steal online user data), and this includes seasoned Cybersecurity professionals. I have had a long career, spanning decades in the IT Cybersecurity discipline. I believe I am sufficiently educated on the topic of phishing. Additionally, I would consider myself quite paranoid and careful, yet I recently failed to remain diligent. As a result, I fell victim to a simulated phishing attack. While attempting to multitask at the end of a meeting, I was quickly going through unread e-mails and mistakenly clicked on an embedded link for a purported MS Teams meeting. Upon further review of the e-mail, I immediately realized my mistake, but it was too late; I let my guard down for just an instant and that was all it took.
In my case, I was lucky because I made my mistake on an exercise. Had it been an attack from a bad actor, I would have become an enabler of the attack. This act could have potentially exposed the entire enterprise to a bad actor or to compromise.
Despite an ongoing campaign by all IT organizations to educate their users about the risk of phishing attacks, security breaches associated with phishing still make up a large percentage of all cybersecurity incidents. According to the FBI’s 2020 Internet Crime Report (IC3), phishing attacks doubled in 2020 and costs associated with phishing attacks topped a staggering 1.8 billion dollars.
Phishing is not only an effective way to launch an attack on IT security defenses, it is very popular amongst hackers and its prevalence only seems to be rising along with the increasing popularity of social media platforms. Results vary between studies, but it is estimated that 60 – 80% of IT organizations have fallen victim to some form of phishing attack within the last year.
This may sound like a broken record, as we have all been through a deluge of training on this topic for years, but this is no time to be complacent -- the problem is only getting worse.
So, what can we do about potential phishing threats? Despite their best intentions and continued efforts, IT professionals have been unable to eliminate the success of phishing attacks effectively and consistently. You may be thinking, I am just a user of IT systems, so what can I really do about it? Well, the first thing a user must do to be part of the solution is to recognize that each one of us has a responsibility as a first line of defense. Secondly, we must do our part to educate ourselves on how we can each be part of the overall defense against phishing attacks. And finally, we must all remain diligent and practice what we have learned.
There is no simple answer, but any defense of our IT systems is critically rooted in the education and ultimately the actions of the users of the systems. We all must do our part and understand that each one of us using these systems plays a critical part in ultimately defending systems from attack. We all must take our mandatory training seriously and ensure we have understood the material being presented. Ideally, we will take an interest in the topic of cybersecurity and take advantage of further educational opportunities that present themselves in both our personal and professional lives.
While using IT systems, we need to all practice what we have been taught to the best of our ability and remain vigilant. Be suspicious. Analyze every e-mail and practice extreme caution when clicking any links, opening attached files, or responding to questionable requests for information. Challenge yourselves to identify the phishing exercises and immediately report any suspicious activity regardless of its origin.
Remain vigilant everyone, we are all in this together. A chink in the armor of one is a vulnerability for us all. Our best defense is YOU.
