A number of years ago I volunteered at a large Boston non-profit organization. As the lead architect of a financial services firm, I was able to provide them with technological solutions to a number of their challenges. I was informed that they fell victim to a phishing attack. Their breach was typical in so many ways:
- Spear Phishing was used, this is the most common type of phishing, where key targets and source is identified in advance. The CEO’s name was used as the sender and the recipient was an administrator who would have the information the phisher was looking for.
- The type of information sought was personal employee information. Personal information is the most common goal of phishing.
- The organization was non-profit education/healthcare. Education and Healthcare as a group represent nearly 46% of phishing targets.
- Email was used. Email is by far the most common entry-point of hackers
- Email spoofing was the specific strategy. The impersonated sender was known to the recipient and was considerably more senior in the organization. Senior enough to be intimidating to the recipient.
The damage had already been done and the organization made every attempt to mitigate the damage. Like so many organizations of all types, they became very concerned only after the assault.
According to the 11th annual Verizon Data Breach Investigating Report, 98% of breaches are achieved using email. Once they gain access to your network, they can load malware, ransomware or direct theft of data. The motivation for hacking is always the same, profit, and it has been very profitable. Organizations generally take the threat seriously only after the first breach.
Social engineering attempts are still far outside the grasp of artificial intelligence since they mirror normal human behavior. There were no total solutions.
I decided that I would research the best advice, strategies and technologies available to protect them in the future. What I found was that employee training was by far the most common strategy for identifying and preventing hackers from getting into your network. While training is important and a conscientious employee, who is well trained may spot a phishing attempt, this may not be reliable since we are only human and our own complacency prevents us from being as vigilant as an automated system can be. There are insurance companies and law firms that advise clients to buy hacking insurance to offset not only direct financial loss but indirect reputational damage caused by a malicious breach. Lastly, there are tools that provide artificial intelligence to examine the email address and content and work well if a lazy hacker depends on creating mass emails with closely similar email addresses intended to fool recipients, but fail when the email targeted and sophisticated (as most successful attempts are). Social engineering attempts are still far outside the grasp of artificial intelligence since they mirror normal human behavior. There were no total solutions.
I worked with this problem for some time until Cloudphish was born. Cloudphish allows you to identify the people and domains you need to trust. Cloudphish requires multi-factor authentication before an email is sent. When you add someone to your trusted colleagues list, Cloudphish looks to authenticate not just by using the email address but by checking that it was in fact sent by that authenticated sender. Cloudphish isn’t looking for problems, it doesn’t ask the question, is this email phony? Rather Cloudphish looks at every email and ask the question, is this person in your trusted network and was this email in fact sent by that person and backs this analysis up with cutting edge blockchain proof of authority technology.
Cloudphish is truly different and effective in informing you if you should trust the authenticity of an email. Cloudphish allows you to build a list of who you trust and verifies them each time them send you mail. Cloudphish is priced to be an easy decision, built to be easy to manage and doesn’t count on your employees to be superhuman.