Graphic of fishing lures and email symbol
Image by Carlo Taccari via Thinkstock.com

You’ve trained, warned and threatened staff not to click on suspicious email attachment, and they still do it. Employees seem dense. Even the C-suite fail tests. You think there’s no hope for them or of stopping staff from falling for phishing.

Congratulations, you’re in good company: Senior security officials at two of the country’s biggest banks think so too.

“What I’ve learned is you can’t fix stupid,” Manish Khera, director of data protection, security consulting and application security at RBC Capital Markets said Thursday at the SC Congress security conference in Toronto.

Manish Khera, RBC
Manish Khera, RBC

Some employees delete phishing email, he said, but others click and when nothing happens (because the malware is quietly downloading behind the screen) they reply to the sender, who sends another link – or the staffer forwards the message to their home.

“We have to get to a place where we are OK with stopping business processes, with breaking things for the safety of our assets and the company,” he said. “Until we get to that point I don’t think we can win this battle.”

Jeff Stark, director of cyber security at CIBC, agreed. “It’s not the end of the world (to briefly delay messages), an email can be re-sent. That would go a long way to help us as security practitioners to put in solutions that actually solve the problem properly instead of weakening our security controls.”

Jeff Stark, CIBC
Jeff Stark, CIBC

But he said at previous posts when he told management there could be a five minute delay for some messages that are being scanned “the business loses their minds.”

User awareness training doesn’t work, he added – in fact he thinks it should be abandoned – although later organizations should keep it up, but that he’s lost faith in its effectiveness. Stark noted that when he asks employees how they can improve training, the majority say, “’We don’t care. My job is in marketing or finance. We click. You’re the security guy: Protect me.’”

Even Khera admitted that’s his wife’s attitude.

RBC does monthly phishing tests and awareness training, Khera said, and tracks click response with some success. But he suggested some people are hopeless – he gives up on those who click on bad test email six times or more.

It’s long been known, Stark said that email, “is the best threat vector to get into an organization, and I thought this was or should have been solved many years ago, and it turns out that it’s not. And I’m still baffled about why we’re still having these discussions.”

But also he believes many IT departments aren’t performing basic message hygene, such as deleting executable attachments, or following proper procedures. That’s why the increasingly common spoofed CEO email telling a staffer to transfer money isn’t getting caught “You should never have an inbound message from your own company coming from the Internet,” Stark said.

“To me the problem has been solved, we’re just not executing properly as security practitioners.”

He went further, saying infosec pros haven’t implemented basic security across their entire stacks. Then they add more tools – which aren’t configured right – and they wonder why malware still goes through.

When one conference attendee suggested giving employees more time to let awareness training sink in, Khera agreed, but admits it will still take years. But Stark noted security awareness training has been going on for the past 20 years.

All this prompted one attendee to argue that if Stark and Khera, with their large security budgets, see things as hopeless, what hope is there for smaller companies?

They may be better off, Stark suggested. His last job was at virtual bank ING [now owned by Scotiabank], which, with 200 employees, was nimbler than CIBC’s 48,000 workforce spread around the world.

Audience members tossed out a number of possible solutions, including shaming repeat offenders. But, countered Stark, you want end users to trust and work with the security team and call in to report suspicious activity.

But he did say one training tactic he’s tried has had some impact: Deception. Stark has placed a ‘Protect your Kids Online,’ slide show on CIBC’s Lunch And Learn program. It’s voluntary, not mandatory, and while parents pick up tips aimed at their children the message also sinks in to them.

He also urged infosec pros to frame email scanning strategies in financial savings terms: Re-imaging an infected PC, for example might cost $500. Multiply that times the number of devices that have to be remediated each month and it will add up. Cutting into that saves the enterprise money.

“I tell our team we’re not just security people, we’re marketing people and we market what we need to do to executives to get the money we need. You have to be able to sell your solutions to management.”

Stark insisted that thorough scanning of email is the solution, although there may be a small price. But, he said, “if we can set the expectation that not every message is going to be delayed five minutes … then you can move forward with the solution.”

However, Kherea said technology isn’t the answer. “We have to make a risk-aware culture such that we’re all responsible” for security. “We haven’t done a good job in that.”

Asked for comment Friday morning at the Anti-Phishing Working Group’s eCrime conference in Toronto, association co-founder Peter Cassidy said CISOs have to be persistent and patient with awaremess training. He likened it to the continuing fight against smoking, which not only has taken years but the resources of governments.
“You can’t expect people to be re-programmed after decades of behaviour after one day of (awareness) training.”