Intelligent CISO Issue 10 | Page 33

 PREDI C TI VE I NTEL L I GE NC E There’s a machine that stops phishing attacks. It’s called the human brain Phishing attacks remain a source of anguish for CISOs and security professionals. But those who choose to just throw technology at the problem are overlooking a vital component of their defence – the ‘human firewall’. Kamel Tamimi, Principal Security Consultant, Cofense Inc, tells us more. . . . U ntil human nature changes (don’t hold your breath) phishing attacks that target unwary people will be a headache. Two recent headlines show the Middle East and Africa are not being spared. Last November, a leading regional bank issued a customer alert about a phishing email dangling a value-added tax refund. Naturally, the email purported to come from the bank. Whose pulse wouldn’t quicken at the thought of getting some money back? The following month, Amnesty International warned of several credential phishing campaigns, likely from the same attackers, targeting Middle Eastern www.intelligentciso.com | Issue 10 and North African organisations. In one campaign, the threat actors took aim at accounts on ‘secure’ emails services like Tutanota and ProtonMail. It would be nice if automation could solve the problem completely. But while automated systems, Machine Learning and AI can help, malicious emails are still getting past the perimeter. Just ask the regional bank and Amnesty International. Here’s what organisations tell us about the human factor You could also ask organisations in the region and across the globe. At Cofense, we talk to them every day about effective phishing defence. Here are some of their insights on thwarting attacks on humans by empowering them with the right expertise and tools. Let’s start with the head of information security at a Middle Eastern university. A few years ago, after large-scale attacks by nation-state actors on other regional targets, he made human-vetted phishing defence his number one priority, anchored by a rigorous phishing simulation program. When he launched the program, users – students, faculty, administrators and anyone else using the network – fell for simulated phish 55% of the time. That number has now dropped to close to 10%, with the number of users reporting bad emails up to 50%. (FYI, Cofense data shows that the energy industry leads the region in phishing reporting – on average, over 16 users report a simulated phish to every user that falls susceptible.) 33