The myth of human weakness in security: How to turn staff into active network defenders

In a Q&A with ZDNet, Rohyt Belani, co-founder and CEO of PhishMe explains how employees can become a vital layer of defense for enterprise networks.
Written by Charlie Osborne, Contributing Writer

Training employees to detect phishing campaigns must become a "top priority" for enterprise executives, according to Rohyt Belani, CEO of PhishMe.

Corporate networks and systems are a constant target of cyberattacks. Hackers may be out to steal valuable data, consumer records, account credentials or trade secrets. They may also wish to simply cause damage to business systems to make a political point or to ruin a firm's reputation. The reasons for cyberattacks are endless, and unfortunately, it is now a matter of when -- not if -- a business with online operations is targeted.

Phishing campaigns are a common tactic for cybercriminals to gain an access point into corporate networks. Threat actors send a fraudulent email -- which may be via mass mailing or aimed at a specific through social engineering -- which appears to be from a legitimate source, whether a bank, educational institution, payment provider or colleague.

This email then contains a malicious attachment, disguised as a seemingly innocent archive, document or .PDF file, which contains malware. Alternatively, the email may contain a link to a malicious website owned by the cybercriminal and designed to dupe victims into submitting their account details.

In the past, phishing campaigns were less believable. You may have had a long-lost relative hidden deep in the African region or you may have won the Spanish lottery -- having never set foot in Spain. However, phishing can now be complex, well-engineered and professionally crafted, which makes them far more difficult to detect.


If corporations wish to avoid providing a conduit for attackers to exploit, their employees must be trained adequately to detect suspicious emails and respond appropriately. This is the mantra of NY-based PhishMe, a company which specializes in training corporate employees to recognize and detect threats including phishing campaigns and fraudulent messages.

In a Q&A session with ZDNet, Rohyt Belani, co-founder and CEO of NY-based PhishMe talked about malicious threats affecting the enterprise today, and what the future holds for today's businesses. Excerpts are below:

ZD: How important is it for the enterprise to train employees to detect phishing campaigns?

"Considering that the security industry widely agrees that around 90 percent of targeted attacks begin with a phishing email, training employees to detect phishing campaigns should be a high priority for organizations."

ZD: Your company focuses on training programs for phishing, malware and drive-by threats. What techniques does PhishMe use to improve employee understanding in cybersecurity?

"Our methodology is based on providing immersive training through periodic simulated phishing exercises. The idea is to give employees the experience of receiving a phishing email and to then provide training to users immediately if they fall for the phish. This immediate feedback reinforces the knowledge in ways that ordinary computer-based training does not and helps users retain information more effectively.
PhishMe tracks the results of each campaign a customer runs, and provides a number of data points that allow customers to make data-driven decisions about how to tailor their training programs to their specific needs.
Sending these exercises periodically allows organizations to focus on different phishing techniques and on different groups within their organization.
Once an organization's workforce is adept at recognizing phishing attacks, encouraging them to report suspected attacks can have a dramatic impact on the incident response process."

ZD: How long does it take the average employee to learn to detect malicious threats to enterprise networks?

"On an individual level, certain employees will grasp these concepts faster than others. The metrics that PhishMe collects help organizations pinpoint which of their users are more advanced and which may need more support. On an organizational level PhishMe customers often notice improvement after just a few months, and PhishMe has been proven to reduce organizational susceptibility to phishing attacks by up to 80 percent over the course of 18 months."

ZD: In your opinion, what do today's businesses need to do to improve the security of their networks?

"While some may think that PhishMe would advocate getting rid of expensive technical solutions, I think that complementing a robust offering of technical solutions with a savvy user base trained to recognize and report suspicious emails is the best way for enterprises to improve their security.
Technical solutions can do most of the blocking and tackling, detecting known threats, while your trained workforce can act as human sensors that detect the threats that get past your technical perimeter."

ZD: Have you noticed any particular trends in the evolution of phishing campaigns?

"Over the long term, we've seen phishing emails evolve from the unsophisticated Nigerian prince scam emails to well-crafted, tailored messages that are difficult to tell apart from genuine emails.

We've seen malware become increasingly sophisticated as attackers need to circumvent increasingly sophisticated detection methods. For example, many organizations are employing sandboxing technologies, and so we've recently seen an uptick in malware designed to be resistant to sandboxing. Malware can evade sandboxing in a number of ways, including being time-released (to deploy after the sandbox has concluded its analysis) or being dependent on human interactions to execute.

One of PhishMe's researchers recently analyzed a malware sample that checked to see how many CPUs were on the system before running, if the system only had one CPU running, it assumed it was a VM and exited. Consequently, sandboxing technology would assume that this file was benign.

The best way to detect these advanced attacks is to have a user base that can recognize and report suspicious activity. The malware described above was reported to our research team by a PhishMe user. It was delivered through a Word document in a phishing email that claimed to be delivering the recipient the text of an SMS message. A user that recognizes the suspicious nature of such an email and reports it to the incident response team can help prevent such an attack from becoming a damaging breach."

ZD: Do you agree with the idea that humans are the weakest links in the cybersecurity chain?

"No, we don't believe that humans are a weak link at all. As the above example shows, having users that can recognize and report attacks can cover the holes left in your perimeter. Our experience working with over 500 enterprises shows that users can be conditioned to detect attacks - they can actually be a strong asset to an organization's incident detection plan."

ZD: What do you believe are the most serious cyberthreats facing businesses today?

"The most serious threat to organizations today is allowing themselves to have a false sense of security. Most organizations spend large sums on the latest and greatest technologies, and while much of that technology is great, attackers will find a way to get past it. Businesses need to be constantly vigilant because attackers aren't going away."

Top apps to keep your iPhone, iPad private and secure

Read on: Top picks

Editorial standards