Insurers pay a lot of attention to phishing awareness. Not without reason. Phishing threatens the cyber security of companies. Or, in other words: phishing works. That is why it is important to make people aware and to train them. But how do you go about it? And what are the pitfalls? In this longread, we share the experiences of three members of the Association. With the intention of inspiring and helping others. Because 'security shared is security amplified'.
Let's start at the beginning. Phishing is a commonly used term. But what is it? And what does it cost? The Digital Trust Center of the Ministry of Economic Affairs explains on a special page that phishing is a form of internet fraud in which cybercriminals want to steal your personal data or passwords.
In 2020, the banks reported that phishing in the payment system cost no less than 12.8 million euros that year. And this only concerns private individuals who have been scammed by fake bank employees.
The total costs for companies have never been calculated, but we know from the press that the consequential damage can be high and that high amounts are regularly paid for ransomware . And in addition, companies also suffer from reputational damage, downtime, investigation and repair costs.
Phishing does not directly lead to having to pay for ransomware, but systems are often infected with malware (wrong code) through phishing: the ransomware is paid to render that malware harmless again.
All in all, phishing causes so much misery that awareness among employees is increasingly part of a broader cybersecurity approach. But everyone understands that it doesn't make much sense to alert staff to phishing if the basics are not in order.
The very first action is therefore to ensure good password management. It almost goes without saying, but go and count the people who have a password that consists of the numbers one to ten. You are shocked at how many there are left.
In addition, the company's email settings must be in order. By the way, don't just think of e-mail: SMS and WhatsApp are also channels for phishing.
And finally, it is useful to patch the software in time (that is to update the software to an improved version). After all, you don't want to bother your staff with all kinds of messages if you don't have the technical basics in order?
Lesson 1 is that your own technical basis must be right.
SMS and WhatsApp are also channels for phishing!
If the technology is in order, you can get started. Where do you start? Just at the beginning. When new employees are hired, you can immediately inform them about your cybersecurity approach. That is also the time to teach employees the basics with a short training. For example, via e-learning at a time that suits the employee, but it works even better if you involve the IT department. New people can then be physically instructed. The message comes in more powerfully and moreover, it can be better connected to the experience of the individual. You can even explain that cybersecurity awareness also comes in handy in private life: no one wants their identity or credit card details to be stolen.
Cybersecurity also has a private effect: no one wants their credit card stolen!
Cybersecurity alone is of course not useful. You can prevent a lot with good security, but if there is no access security at all in the office or the desks are full of sensitive documents, things can still go wrong. Therefore, make sure that employees close their screen before leaving the office (or their desk). In addition, it is smart to clean up the desks before departure, so that USB sticks of unknown origin cannot be used just like that. And, it is an open door, but don't just give strangers access to your building and let employees address someone who is unknown or shows strange behaviour.
You may think we're exaggerating, but these are two 'real' examples of how NOT to do it:
We kicked it off at the beginning of this longread: the fake phishing email. You get a message in your email and the only thing the IT helpdesk wants is to test. Are you clicking on the wrong link? Or do you neatly report to the Helpdesk that you have received a suspicious email?
The drug is widely used, but what exactly should you pay attention to? One of the most important criteria is repetition. Although a one-time test is better than no test at all, the strength is mainly in the repetition. Of course, you have to be careful not to send fake emails all the time, because then a certain fatigue occurs, but above all, keep explaining why awareness is so important.
In addition, make sure that the explanation is not only given by the IT department, but also by the (higher) management. Good awareness is a shared responsibility.
Keep explaining why awareness is so important!
Repetition can quickly get boring, so make sure you have some variation. For example, join the rating system at the end of the year to tempt people to click. Or use a name of the board/management in spoofed email addresses.
During the corona pandemic, phishing emails were circulating that seduced people to click because they might be infected? The message 'your mailbox is almost full' is also a good way to encourage people to take action.
Need more creativity? In the Month of Cyber Security , an insurer has set up a competition among the staff. The question was: write the best phishing email. Of course, the winning e-mail (see box for an example) will be used in a subsequent campaign.
However, the 'gain' lies in the fact that you ask the staff to put themselves in the shoes of a hacker. In this way, the message is also highlighted in a different way.
Reminder: Set up your two-factor authentication once now for using SharePoint
Dear colleague,
In August 2022, we asked you once through previous announcements to set up the two-factor authentication for identification for use of SharePoint. We see that this has not happened yet. You can set up the verification easily and securely, via our intranet page. In any case, do this before November 1, 2022. An extra verification step must be set up in connection with information security.
Please note: this button can only be used by the recipient of the email.
What happens if you don't set up two-factor authentication?
If your two-factor authentication isn't set up, SharePoint for the intranet and for the business documents that are relevant to you may no longer be directly accessible after November 1. This can have major consequences for the work you are doing at that moment. Especially if the Service Desk is overloaded by these requests. Of course, we want to prevent this. Thanks for your cooperation.
SharePoint team
'Your mailbox is full' always encourages action!
It is interesting and relevant to share the results. For example, you can stimulate motivation by letting them know which departments or groups are doing better than average.
However, if that information leaks, it can also be useful for malicious parties. Therefore, share the information at such an abstraction level that it cannot be misused.
You may be able to share more information with certain groups (board/management, etc.), but individual feedback is always welcome. Immediately report to people who clicked on a wrong link how they could have recognised the phishing email.
Always report to people what they have done wrong!
Another open door, but also pick up the phone. If a hacker really wants to get in, he or she not only sends generic phishing messages, but also tries to 'get in' via a telephone conversation.
Of course, you can also stage this by having someone call a helpdesk or call centre. Then you can test whether it is possible to trick someone into revealing a password or clicking on a wrong link.
In this case, we no longer speak of phishing, but of social engineering.
A hacker doesn't just send generic phishing messages!
Although testing phishing, via e-mails or by phone, is wise, it can also go wrong. If an employee manages to click on the wrong link, they can develop feelings of guilt about it. Therefore, be aware of psychological effects and failure experiences.
For example, a call centre employee once managed to get her secret data. After the conversation, they were not immediately told that it was an exercise, because the test was still ongoing. The testers also wanted to know whether the employee would report the incident afterwards. Afterwards, the employee had the feeling that something had happened that was not quite right, but she did not report this immediately. She did discuss the incident with her partner in the evening. It kept her awake that night and didn't contact the IT department until the next day. It ended well for her, but be aware of these kinds of effects. And set up the process in such a way that the chance of this happening is minimal.
Pay attention to the psyche of the employees!
Of course, an employer is not allowed to snoop into the private e-mail of employees. However, in the event of a successful fake hack, it can happen that data is extracted from an employee, which can also be used to gain access to private mail. This can raise fears among staff members that their private messages are not secure. It is therefore important that you have crystal clear in advance that this is not allowed.
In addition, it is important that the board/management is behind the exercise. In case of doubt, it may be wise to ask the Works Council for approval.
If you measure the effects of a phishing campaign and therefore know them, you can continue this in a subsequent campaign. For example, departments that are doing 'poorly' can be bombarded with information more often. And employees who continue to click on wrong links despite repeated interventions may be asked for the reasons for this.
There are departments within insurers where people have to process large numbers of emails every day. The workload can cause a greater risk and it might be a good idea to sit down with the manager in question.
High workload can lead to a greater risk!
An insurer's IT department can easily carry out phishing campaigns themselves, but they require a lot of time and attention. There are also parties that provide these services and sometimes it can be more cost-effective to work with such a party than to burden your own IT department with this.
Let a company try to get admin rights on the server!
The message should be clear by now. Phishing awareness training is definitely useful, but a real hacker will use more resources to get in. To stage this, it may be good to ask a specialised service provider to do a 'red team' exercise. For example, let such a cybersecurity company try to get admin rights on your server.
For example, an employee of Fox IT pretended to be an intern, who failed to upload the CV to the organisation. After several attempts by the HR department to solve the problem, they acted outside all procedures. Then the hacker came in and after not too long, he did indeed get admin rights on a server. All in all, it only took two weeks.
The lesson that the insurer could learn from this was that standard procedures are very important. As long as people stick to it, it's fine. But when in doubt, it is wiser to contact the IT department than to find a solution yourself outside the procedures.
A hacker fights without gloves. By this we mean that you can make the phishing emails as good as you want, a hacker can always do better. After all, he does not have to follow the rules. Therefore, do not blindly rely on a good response. It does not mean that it is safe (at most safer than before).
As a test, a company will never draw up a phishing e-mail stating that director x is having an extramarital affair. Or that the supervisor has made a decision about director y. Such emails result in a high click ratio, but also damage the reputation of the company or its employees.
A hacker doesn't care about that: he has more resources than the IT department.
A hacker fights without gloves!
More important than a low percentage of wrong clicks is a high percentage of reports of suspicious emails. A low percentage of wrong clicks seems nice, but it doesn't say much. Maybe the phishing email wasn't good enough.
Therefore, do not stare blindly at numbers and percentages. They are helpful in tweaking your approach, but do not guarantee real safety. Additionally, it's more important to make sure that people report suspicious emails and other situations quickly than just making sure they never click on a wrong link.
There is always someone who goes for the axe. And if someone has reported the wrong link, you can prevent or limit the consequences of that one wrong click. Therefore, encourage people to report suspicious situations and links.
The insurance sector is also working together to improve cyber resilience. We do this in various contexts, but an important trigger is the Insurance ISAC: the Information Sharing and Analysis Centre.
ISAC has been active for years and exchanges security knowledge and information with each other and with important stakeholders.
The secretariat of ISAC has recently been placed with the Association. Do you see something that you think we can do better or differently as a sector? Please contact the secretary: j.schaffers@verzekeraars.nl.
All lessons in this longread come from some ISAC members. We sincerely hope that they encourage others to improve security.