Cross-posted from DigitalGov   

Editor's Note: October is National Cyber Security Awareness Month, and we’d like to take this opportunity to urge our partners and colleagues to be vigilant about protecting their online systems and creating a culture of awareness. At HIV.gov, we are committed to maintaining the highest level of cybersecurity measures possible. Additional resources are provided at the bottom of this post.

On May 3, 2017, Google email users were exposed to a widespread malicious email attackExit Disclaimer disguised as Google Docs document-sharing requests. These requests were particularly convincing because, as a result of a successful phishing expedition, the emails appeared to have been sent by people who were on the receiver’s contact list. According to a Wall Street Journal article published the next day about the incident, by Robert McMillan, “Victims of the scam included journalists at CNN, the Washington Post, BuzzFeed, Vice Media and the Wall Street Journal.”

Phishing scams such as this one are not new. In fact, a similar mass attackExit Disclaimer was launched in 2014. Immediately following the 2017 attack and the one in 2014, there was heightened awareness among users of the possibility of receiving malicious emails. Articles appeared throughout the media reporting these incidents along with warnings to users to beware of such emails accompanied by tips about how to recognize and avoid similar attacks in the future. Most organizations also provide mandatory cybersecurity training for all users, at least annually.

Yet, in spite of articles, tips, and training, as time passes, users’ vigilance tends to wane. Some of the reasons for this are:

1. The ubiquitousness of email in business and personal life;
2. As users become more sophisticated, and spam email patterns become familiar, hackers respond by constantly developing new, more deceptive email attacks; and
3. Cognitive biases such as fear, greed, and scarcity can make users more likely to fall victim to cyberattacks.

Familiarity Breeds Complacence

Verizon’s 2016 Data Breach Investigations ReportExit Disclaimer points out that 43 percent of data breaches were social in nature—and phishing, at 93 percent, was the most common tactic used in these breaches.

The percentage of social breaches has climbed steadily since 2010. The most likely reason for this increase is that the volume of emails that users send and receive have increased exponentially during the last decade. According to Rob ClydeExit Disclaimer, CEO of Adaptive Computing, “Email has been around for so long, I think many people think attacks are more likely to infiltrate their organization through some new and exotic means, not realizing that even in this day and age, email is still the most likely initial point of attack.”

Email has become such an invaluable tool that its familiarity can blind users to its potential danger.

Crooks Keep Getting Smarter

In its 2016 Threat Intelligence Report, NTT Security found that there had been a 35 percent decrease in cybersecurity attacks. According to Rob KrausExit Disclaimer, Director, Security Research and Strategy, NTT Security, “At the same time, the intensity and sophistication of these attacks are on the rise. Hackers are shifting their strategy from widespread attacks to a more focused effort to compromise specific targets they can leverage, opening the door for more malicious and potentially lucrative actions.”

With the funding constraints faced by most government IT departments, it is particularly difficult for the government to keep up with, much less one step ahead of, the increasing sophistication of these attacks.

Users Are Only Human

In a studyExit Disclaimer published in the Journal of the Association for Information Systems (JAIS), researchers found: “A leading cause of security breaches is a basic human vulnerability: our susceptibility to deception. Hackers exploit this vulnerability by sending phishing emails that induce users to click on malicious links that then download malware or trick the victim into revealing personal confidential information to the hacker.” These vulnerabilities include cognitive biases such as fear, greed, and scarcity. According to the researchers, “Fear increases immediate precautionary actions to protect oneself and one’s possessions”; greed “capitalizes on the lure of easy money to deceive and cheat its victims”; and scarcity “may establish a sense of urgency (or a fear of losing out) that increases the perceived value of the object.” All of these factors can lead users to make irrational choices, particularly when the choice can be made with a single mouse click.

Creating a Culture of Awareness

Clearly, human beings will always be the weakest link in an organization’s cybersecurity strategy. Therefore, it is important to focus more time and attention to strengthening the human line of defense. Government agencies need to take a multipronged approach in order to develop a culture of awareness among users.

• Regular training plays a vital role in the process, however, training should not be limited to once or even twice a year. Jerry Hutcheson, a cybersecurity consultant, recommends holding brief trainings to discuss new threats once a month. “The threat landscape isn’t static, so neither can be the organization’s response – it has to be viewed as a continuous process over time.”
• Users could benefit from real-world examples of actual case studies that can help them to recognize threatening emails at a glance. Such examples can be found through Verizon’s Data Breach DigestExit Disclaimer. When users become intimately aware of the tools and tactics used by cybercriminals, they are far less likely to fall victim to similar schemes.
• IT departments could regularly simulate phishing attacks among its users. Users who fall for these attacks should not be punished (remember, users are only human), however, successfully avoiding the attacks should be incentivized by praise, contests, or other positive rewards to provide more buy-in and engagement among users.

These and many other methods could prove to be effective in reducing users’ susceptibility to malicious email attacks. There is no easy fix and no one-size-fits-all solution. However, it is important that agencies focus as much time and attention to building and strengthening their human cybersecurity lines of defense as they do on technology-based countermeasures.

Below is more information on National Cyber Security Awareness Month and additional resources to help your organization stay safe.

National Cyber Security Awareness Month website 
Stop. Think. Connect. Toolkit with information for various audiences 
Phishing awareness poster [PDF, 2.87 KB]
Online Safety BasicsExit Disclaimer from Stay Safe Online
HHS information and tips for National Cyber Security Awareness Month [PDF, 269 KB]
Five Every Day Steps Towards Online Safety [PDF, 236 KB]