Vendor Email Compromise (VEC), Business Email compromise (BEC), Phishing attacks, Whaling attacks - you name it. Everything eventually points back to humans and we are all targeted in one way or another. This is a well-known adage in the information security domain that 'humans are the weakest link'. Our thoughts, emotions, innocence - can be easily manipulated by an external entity the way they want. However, the manipulations would/could totally depend on various factors and on any given situation. Nonetheless, this does not necessarily mean we can do nothing about humans and rather invest in the implementations of fancy gadgets - firewalls, heavy/hardcore devices, spam protections/filters, endpoint protections, HIDS/HIPS, and anything as such. Defense in depth is a good strategy, however, doing this does not mean that you are 'free from risk', it simply means that you are trying to 'shift the risk'. Yet, at some point in time, the risk would have the likelihood of getting exploited.
Say, for instance, you implemented all the fancy and hardcore devices, endpoint protection mechanisms, everything in place - to prevent/combat such attacks/issues and then think that you are now protected, everything is in place, everything is now sorted - right? I would highly argue, that you are still not in the state of maturity to combat other evolving threats. The threats to Bring your own device (BYOD), bring your own phone (BYOP), bring your own personal computer (BYOPC) - which still does exist and is, in fact, growing rapidly. Making sure that people understand the technology they are working with and they work on the defined procedure is the least any organization can do.
The attack vectors might differ - a phishing link on the email, an attachment with an embedded backdoor, a malicious app for cell phones, and/or a QR code embedded with malicious link/attachment, drive-by download attacks, vishing, smishing - the list goes on. An attacker with malice intent would always find a cunning way to make you perform the act that might not be of your best interest. Therefore, being aware of the evolving threats, training the people on different attack vectors, and most important - understanding the security culture/practice is definitely a good start.
Humanity still does exist. People still do care about others, they care about things, they care about their priorities, they care for the things that matter to them the most and eventually get kind enough to fall for a lured trap that they might not be well aware of. Let us take it this way - at some point in time, you might fall for it, you might become the weakest link. What does actually matter is, let us all stop stating that "There is no cure for the human's stupidity". Let us all focus on the fact that "stupidity" only exists because of "Ignorance" / "Illiteracy - on the subject matter". Therefore, do not train your employees to not click on the link. Train them on how to spot them, how to spot the difference, how malicious people operate and will try to manipulate the thoughts - so that they can develop the awareness required to spot the difference with maturity - on any given instances.
Attackers do not operate on a 9-5 office hour schedule, 5 days of work and then take days off. If you are training your employees to just not click on the link and you want to protect your business - let me please remind you that you are probably playing it wrong. Do not train your employees to keep your business safe - train them to act safe and spot the differences and they will eventually keep your business safer, even outside the business hours.
PS: Thanks for taking the time to go through this post. Any thoughts on suggestions/criticisms/appreciations are highly appreciated.
Say, for instance, you implemented all the fancy and hardcore devices, endpoint protection mechanisms, everything in place - to prevent/combat such attacks/issues and then think that you are now protected, everything is in place, everything is now sorted - right? I would highly argue, that you are still not in the state of maturity to combat other evolving threats. The threats to Bring your own device (BYOD), bring your own phone (BYOP), bring your own personal computer (BYOPC) - which still does exist and is, in fact, growing rapidly. Making sure that people understand the technology they are working with and they work on the defined procedure is the least any organization can do.
The attack vectors might differ - a phishing link on the email, an attachment with an embedded backdoor, a malicious app for cell phones, and/or a QR code embedded with malicious link/attachment, drive-by download attacks, vishing, smishing - the list goes on. An attacker with malice intent would always find a cunning way to make you perform the act that might not be of your best interest. Therefore, being aware of the evolving threats, training the people on different attack vectors, and most important - understanding the security culture/practice is definitely a good start.
Humanity still does exist. People still do care about others, they care about things, they care about their priorities, they care for the things that matter to them the most and eventually get kind enough to fall for a lured trap that they might not be well aware of. Let us take it this way - at some point in time, you might fall for it, you might become the weakest link. What does actually matter is, let us all stop stating that "There is no cure for the human's stupidity". Let us all focus on the fact that "stupidity" only exists because of "Ignorance" / "Illiteracy - on the subject matter". Therefore, do not train your employees to not click on the link. Train them on how to spot them, how to spot the difference, how malicious people operate and will try to manipulate the thoughts - so that they can develop the awareness required to spot the difference with maturity - on any given instances.
Attackers do not operate on a 9-5 office hour schedule, 5 days of work and then take days off. If you are training your employees to just not click on the link and you want to protect your business - let me please remind you that you are probably playing it wrong. Do not train your employees to keep your business safe - train them to act safe and spot the differences and they will eventually keep your business safer, even outside the business hours.
PS: Thanks for taking the time to go through this post. Any thoughts on suggestions/criticisms/appreciations are highly appreciated.