There’s an old proverb that says, “A chain is only as strong as its weakest link.” That phrase came from the British philosopher Thomas Reid in his Essays on the Intellectual Powers of Man, which was written back in 1785. It included this line: “In every chain of reasoning, the evidence of the last conclusion can be no greater than that of the weakest link of the chain, whatever may be the strength of the rest.” The “weakest link” referred to is, of course, figurative, and usually applies to a person or technical feature rather than the link of an actual chain.
Even though it was written back in the 18th century, that proverb is still appropriate in our modern technological world and can be applied to protecting companies from today’s biggest security threat, phishing attacks.
Verizon’s 2018 Data Breach Incidents Report indicates that over 90% of breaches start with a phishing attack. It’s the vehicle of choice for hackers and the biggest threat to businesses of all sizes and locations. Phishing is an easy, profitable, and cost-effective way for hackers to enter corporate networks, providing access to a wealth of sensitive information and corporate funds. When developing their phishing schemes, cybercriminals typically target low-hanging fruit. The one trait most vulnerable – and the weakest link – is the imperfection of humanity. Most employees are normally not concerned with or aware of how prevalent phishing scams are unless they’ve fallen prey to them. Hackers attempt to elicit fear, curiosity, and/or a sense of urgency from employees, so that when prompted to act they will make a poor choice that negatively impacts their company and benefits the phisher.
Because humanity is the weakest link, the essence of a phishing attack is to avoid technology and target the frailties of human beings. That’s why many organizations believe it’s critical to install standard anti-phishing protection as well as educate employees to recognize and report all manner of phishing attacks. Investments in education, awareness, phishing protection, and simulated phishing attacks are typically considered a best practice to address phishing threats. While implementing training and infrastructure programs has reduced employee susceptibility to phishing scams, they have not eliminated the threat and are not always enough to protect an organization.
During a typical day, employees can browse numerous websites and go through hundreds of emails. Even the most well-trained and observant employee can get distracted and be directed to an unsecure website, click on a phishing link or download a file with malware. Cybercriminals use a variety of phishing techniques including pop-ups, ads, search engines, social media, rogue browser extensions, chat apps and web “freeware” to attack their targets.
No matter how much education companies put into making their employees phishing savvy, or how secure a company’s IT security platform is, hackers only need to obtain a single employee’s credentials to gain access to a corporate network. Companies are only as secure as that weakest link in their user base, and organizations can no longer extensively rely upon end users to protect their networks.
Standard phishing protection relies primarily on URL inspection and domain reputation analysis, techniques which can be evaded by sophisticated hackers. These technologies fail to deliver timely and definitive phishing site detection, and threats can easily reach employees. Static threat feeds and blocking defenses can’t keep pace with fast-moving Web-based phishing threats, leaving employees increasingly exposed to previously unknown, zero-hour phishing sites.
These email and web content security solutions also take up an IT professional’s time with tasks such as creating spam rules, examining quarantines, and creating blocklists. A company’s IT security staff needs time to research probable threats and that research could take many hours, which usually results in delays to blocking malicious sites. In a world where 46,000 new phishing sites go online each day and most disappear in just 4-8 hours, time is a precious commodity.
While it’s important to be able to have an effective security program to keep the network safe, employees still need to conduct business and have access to legitimate Internet tools. If standard phishing protection filtering is too aggressive it can result in multiple false positives, meaning more time spent by IT professionals with support calls and dealing with complaints. The number of false positives needs to be reduced to near-zero, otherwise standard phishing protection not an effective cybersecurity tool.
The takeaway is that the combination of the human element, untimely standard phishing protection, and false positive diagnosis are all weak links and contribute to a gap in phishing attack security. Whatever the strength of their education programs and standard phishing protection, organizations must close this gap with a different approach to security controls. They need to bring in new innovative phishing protection at the network level that can detect zero-hour phishing threats in real-time to better protect users and reduce the risk of breaches.
SlashNext recognizes this gap and addresses it with an entirely new kind of cloud-powered phishing detection technology that uses adaptive machine learning. Patent-pending SEERTM technology is superior, real-time, phishing site detection for zero-hour phishing threats on the Web. It definitively detects phishing sites that evade traditional URL inspection and domain reputation technologies. Phishing detection happens in seconds and confirmed phishing URLs are instantly available for blocking by firewalls or DNS servers across a company’s entire customer base. Which means no probable threats to research and near-zero false positives.
SlashNext offers the type of protection that can strengthen your weakest link and close the phishing gap in your company’s security. Request a Free Gap Analysis from SlashNext today and find out how you can take the worry out of phishing threats.