According to the Microsoft Security Intelligence Report for Second Half 2013, email was the fourth most commonly used transmission vector by malicious infection attempts on Microsoft computers during that period. This includes malware-infected emails and phishing emails.

The costs of spear phishing

Spear phishing is when attackers prepare and send out emails with very specific individuals in mind. The purpose is to convince such individuals to perform certain actions like filling out a form, clicking on a link or downloading an attachment.

A survey of 377 U.S.-based IT and IT security practitioners by Ponemon Institute in 2015 indicates that the total annual cost of phishing scams for an average-sized organisation is US$ 3.77 million. This includes the cost to contain malware, the cost of malware not contained, loss of productivity, the cost to contain credential compromises and the cost of credential compromises not contained.

But then again, what does this have to do with director Michael Bay’s franchise?

The costs of phishing

Social engineering and end-user behaviours

In 2010, U.S. Air Force airmen stationed at the Andersen airbase on the Central Pacific island of Guam received an email inviting them to appear as extras in the ‘Transformers 3’ movie which was about to shoot there. All they had to do was fill out an online application form.

The only problem is that ‘Transformers: Dark of the Moon’ had never been scheduled to shoot on Guam. The email was fake. And even though the application form asked for all kinds of sensitive information that could have been used to gain access to the airbase’s secure networks, many airmen still fell for this spear phishing scam.

Fortunately, this was just a mock attack exercise conducted by the U.S. Air Force to test how well their airmen can spot a hacking attempt. Apparently, the result was not encouraging.

The bogus email was actually so authentic and convincing that some airmen not only responded but also told their friends about it. The rumour was eventually picked up by local media. In order to clear up the confusion, the U.S. Air Force had to issue an official statement about the exercise.

Military personnel are supposed to be better trained than average corporate end-users to watch out for such malicious attempts. But the spear phishers only need to come up with the “right hook”. In this case, a chance to appear in the same blockbuster with Megan Fox proved to be too much to resist for young airmen. For spear phishers, it is more about social engineering skill than it is about technical skills.

This case highlights one frequently neglected aspect of enterprise cyber security: changing user behaviours.

The importance of investment in people in enterprise cyber security

A meta-analysis conducted in 2012 by Aberdeen Group showed a strong relationship between investments in end-user training and being the leading performers in IT Security and IT GRC (governance, risk management, and compliance).

The study, titled ‘Successful IT Security Projects Invest Not Only in Technologies but Also in People’, analysed results of 29 other IT security studies which involved more than 3,500 enterprises. On average, the top-performing enterprises in those studies were 70% more likely than the lagging performers to invest in end-user training.

Then why do organisations continue to neglect end-user security education training and awareness programs? Of all 3,500 organisations involved in the Aberdeen meta-analysis, more than half chose to invest in technologies but not in people.

The answer probably lies in the fact that it is difficult to quantify the effectiveness of such programs. Fortunately, research has demonstrated how changing user behaviours can positively affect IT security.

The aforementioned Ponemon Institute study compared the phishing email click rate of employees from 6 organisations before and after they completed a user training program, which consists of mock attacks and follow-up in-depth training. Based on the reported results, there has been an average improvement of 64%.

Aberdeen also performed a risk analysis using Monte Carlo simulation. The key finding is that, for an enterprise with 1,000 users and an annual revenue of US$200 million, investment in user awareness and training programs can reduce the likelihood that annual costs of infections related to user behaviours will exceed US$5 million by a factor of eight, from 50% to less than 6%.

Conclusion

Enterprise cyber security should be an in-depth defence system, in which technologies are properly deployed in tandem with investments in end-users awareness and training. Even the best technical controls can be compromised by the actions of a few users. As the cyber threats continue to evolve at an alarming pace, a well-trained, well-informed workforce could be the enterprises’ first line of defence.