Why phishing remains a critical cyber-attack vector

Spear phishing emails targeting business users are so well-crafted they should be called "laser" phishing attacks, says Microsoft's Cybersecurity Field CTO Diana Kelley.

Why phishing remains a critical cyber-attack vector

TechRepublic's Dan Patterson sat down with Diana Kelley, Microsoft's Cybersecurity Field CTO, to discuss phishing that targets business users and how to prevent it. The following is an edited transcript of the interview.

Diana Kelley: One of the biggest threats, and it's not going to be new or shocking is, and it's still a continuous attack factor, is phishing. We as human beings, we read something, it engages us, they're writing incredibly targeted, I don't even call them spear phishing, I think of them as laser fishing now because they're so well crafted. Phishing is still one of the biggest factors for attack and companies. So, training your people and getting the right technology in place to prevent that phishing link click to going to a bad site is one of the most important things.

It's about education, and it's education that engages and doesn't scare. We actually, at Microsoft, have a tool where you can send out phish emails to your own organization to help train them on what phishing might look like, about how targeted it may be and to help understand who might need additional help in understanding how important it is to vet what you click on, and to only click on trusted emails and to only open up things that are trusted.

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

Interestingly, it's a great question. Very often what the attackers do is that they get in through maybe a lower level account. It may belong to somebody who is in a different part of the company then their actual target is. Then, what they do is they escalate their privileges, and they move from that one attacked account to try and go either up the chain to an administrator account or to a higher level value target like a top executive.

That's actually where phishing your own company can help quite a bit, and it's not unusual that when companies are doing these phishing exercises that its the top level executives that do the most clicking. So that means when they've actually clicked and they see, "Oh, I did get fooled." It's much better to get fooled in a training exercise than by a real attacker. Then, once they've actually clicked they understand, maybe it's not the thinking of, "I would never click on a phish email." Now, they understand, "I see, these are really well done attacks, maybe I need a little bit of training." So engaging.

SEE: Phishing and spearphishing: A cheat sheet for business professionals (TechRepublic)

It's part of that triangle, people, process, and technology. So, you want to educate your people, put in place policies that help them understand what's acceptable and what's not. Then, technology--wherever possible--getting the technology to block out as much as possible of those malicious emails. I mean that's what we're working towards, to making sure that we can get that number as low as possible.

Also see