There’s no doubt that general awareness for cybersecurity has been on the rise in recent years. The importance of using strong passwords, for example, is now common knowledge. But one very popular and effective threat continues to fly largely under the public’s radar: phishing.
Why phishing? Researchers found that 30% of phishing messages are opened according to the 2016 Cisco Annual Security Report and adversaries know how effective a phishing campaign can be. To give you an idea of the scope of the problem, www.phishing.org reports that over 100 billion phishing e-mails cross the internet each day. They also report that about two thirds of all attacks start with a phishing campaign.
There are several reasons for these figures. All of them rely on human psychology. For the attacker, it can take days or weeks to break through the cybersecurity of an enterprise. Spend a few days building an attractive phish e-mail, spam 1 million copies of it across the Internet and in a few days you might have 120,000 hits, including stolen login credentials for thousands of businesses, personal bank accounts, who knows what they might find?
The attacker will use psychological manipulation to persuade the target to click the link. This is a real problem for organizations. Everyone should understand what the psychological buttons are that these guys are using every day. Here’s a few links that summarize what those tricks are and how the attacker will exploit them.
- Sans Institute has an archive of research papers done by students working toward technical certifications. This one is a well-organized breakdown of phishing hacks into four broad psychological categories, with a discussion of specific tactics used in each category.
- Network World offers a different breakdown of the how hackers exploit our psychology, with a tighter focus on what emotional buttons are successful in getting the reader to CLICK.
- Merchant Link breaks down the psychological buttons into 7 categories. I don’t really care if it is 4 or 5 or 7. For me, it is being aware that the buttons exist to be pushed.
In many cases, users may come up with excuses as to why they should be able to safely avoid cybersecurity issues. There is another way to approach this problem.
Encourage your users to be curious instead of fearful. Make a game of spotting phishing clues. Use some of the links I provide and others you find (google “how to spot phishing email” for a start) to learn what clues to look for to determine if an email is a phish.
I’ll wrap up with a few more links if you want to know more.
- Phishing is a form of social engineering. Turns out, there are sites focused on just that topic, like this one.
- If you’re looking to improve your organization’s email security approach, check out the resources at: cisco.com/go/emailsecurity
- You can also learn what five features your next email security solution must contain to combat threats like phishing, ransomware and business email compromise in our Email Security Buyer’s Guide.
- The US government provides many resources:
October is Cyber Security Awareness Month, and Cisco is a Champion Sponsor of this annual campaign to help people recognize the importance of cybersecurity. For the latest resources and events, visit cisco.com/go/cybersecuritymonth.
Many organizations today have a “Culture of Fear” about the network and network changes. The network is one of the most critical elements in IT, every other system relies on it for communications and to function properly, but it is seen as complex and fragile. In discussions with engineers, leaders, and executives from companies of all sizes and verticals, I have heard variations of the phrase “if it ain’t broke, don’t fix it”. Network changes are to be avoided if at all possible, and when they must occur they are subjected to rigorous, costly, and lengthy vetting. And despite this vetting, time and time again network changes are fraught with problems and unexpected impacts. The 
NetDevOps Stakeholders
