Figuring out to defend against phishing attacks, along with how to train company workers to identify and report these ubiquitous scams was the focal point of the final panel held today at the inaugural SC Congress Atlanta.
Panelist Jim Miles, VP of infosec at PGI, informed the audience his company, though small, was investigating an unnamed email security tool.
Winn Schwartau, CEO of The Security Awareness Company, wasn't as keen on technology as he was on security awareness training. “We are not digital creatures,” he said. “Memory in the brain is a process of feedback loops.” That means, he explained, that by creating feedback loops that involve iterative processes, users can become involved now and forever in learning and staying aware. “It's a matter of influencing, competing for mindshare,” he said.
Indeed, positive feedback in phishing lessons is essential in teaching employees.
Miles pointed out that his company uses an email technology to look for malware and recognize suspicious messages. It's mostly finance people getting targeted, he observed.
But, for Schwartau, the obstacle preventing solid email security is institutional arrogance in the C-suite that is tolerated. “CEOs demand iPads without using security policies,” he said, adding that though policies might be in place, the execs skirt them with the reasoning that they need to get their work done.
“We tell people to not click on stupid stuff,” Schwartau said. “We're treating humans differently than we should be.”
Miles agreed, admitting that his company's CTO once fell for a phishing ploy, one that seemed to come from UPS. However, he said the culture has changed through continual reinforcement and some success has been achieved in preventing click-throughs.
But, just because someone didn't click today doesn't mean that they won't further down the line, Schwartau responded. “It has to be an iterative process on an ongoing basis,” he said.
And what of serial offenders? Miles said because his company is small, there hasn't been a serious problem and discipline has not been an issue. But, he said, if someone were to fall for a phishing ploy, they would get a call, likely from him.
Schwartau took a stricter approach. “Public humiliation is an effective tactic and HR should get on board,” he said, though later when an audience member questioned this, he toned it down and added that this must be done in a spirit of good fun. “Bragging rights is good too,” he added.
The consensus was that organizations must identify and avoid bad behaviors and use effective tools in stopping their employees from getting duped into clicking on a malicious link.
This could start with teaching them how to implement maximum security on their personal devices, Schwartau said.