A new PhishMe survey via OnePoll conducted among 1000 UK office workers shows that most people have different attitudes toward security depending on whether they are at home or at work.
“We have found that workers are not connected to protecting their corporate assets,” explains Aaron Higbee, PhishMe’s CTO. “They believe it’s the security team’s job to protect them from all outside threats, and that security products alone can protect the ‘corporate crown jewels’. However, it’s a different case when it comes to people protecting their own data on their mobile devices or home computers – our experience shows that people are far more likely to be on their guard when looking at emails at home because they have far more to lose than at work.”
The implications are far-reaching. Phishing itself can be divided into two categories: mass phishing and spear-phishing. The former is usually distributed indiscriminately by botnet spam campaigns and is more likely to be caught by company filtering systems. At home, where most users have less sophisticated security defenses, a higher percentage of mass phishing emails are quite likely to get through to the email inbox. As a result, the average user is probably more likely to see, and learn to recognize, mass phishing emails at home. Seeing them less frequently at work simply confirms the view that the security team is doing its job and protecting the user.
The second category, spear-phishing, is more targeted, better disguised and less easy to recognize. It is also potentially more dangerous to the enterprise – last year Trend Micro reported that more than 90% of successful APT attacks start from a successful spear-phishing email. Because spear-phishing is more cleverly crafted and specifically targeted it is both less common and more likely to get through enterprise defenses. But the PhishMe research indicates workers do not consider that they need to be aware of the threat.
“Spear phishing is the criminals’ preferred method of choice if they want to get inside an organization,” warns Higbee. “Some employees falsely believe that their role isn’t important enough for a hacker to attempt to spear-phish them. If the attacker’s main goal is to simply obtain access to an internal network, they won’t discriminate. Everyone is a potential target. Their methods are increasingly more sophisticated and use social media more and more to tailor-make emails that trick people into opening them.”
Spear-phishing makes use of one of security’s oldest truths: the user is the weakest link. Ultimately the only defense is the user’s own security awareness. This is particularly important at work; but the rise of BYOD and remote working as a potential route into the enterprise indicates that future security may well depend upon increasing user awareness of spear-phishing both in the office and at home.