Don’t Blame your Team – “Just Click Here”

Today we are talking About Links.

How realistic is the advice “don’t click on that link”?

How many times in the day do you need to click on a link to do your work?

Now I am not advocating that “don’t click on that link” should be removed as part of your cyber security strategy, nor that training your team to understand and recognise a phishing email or social engineering attack be cut out too. But this should be your backstop when the technical defences you have put in place have failed to stop that malicious email.

The “Link Attack”

I am not sure that is a thing, but you get the idea. If the threat actor sends your new trainee an email with a link, what could be the consequences of clicking on it?

Credential theft

The email could spin a story that the IT Department requires them to confirm their password as part of the company security procedure – the threat actor knew they were a new start, and a good target, because you told them so on your social media. This takes them to a pretty convincing Microsoft 365 login box and from there the threat actor has stolen their credentials.

What can you do?

As part of the induction briefly explain (and put in writing) your security procedures – don’t let “IT” request your password, only allow them to reset it.
Implement a password manager and auto-completion of passwords in browsers – a good password manager should not offer up the password as the site would not be correct.
Enforce multi-factor authentication (MFA) or better still use a token/device based “passwordless” solution.

Malware

The link downloads some malware to the trainee’s computer.

It can be very difficult to defend against malware (including malicious macro code in Microsoft documents) as threat actors have become very proficient at hiding the real nature of their malware under obfuscating layers. Here are some of the obvious steps you can take:

Use a good anti-virus solution and disable the user’s ability to disable it or skip its decisions.
Restrict the folders executables can run from.
Lockdown Microsoft macros (although Microsoft now disables them by default).
Disable the mounting of .iso files.
Keep up to date with emerging threat vectors.

But you still need cyber security awarness training

Having good technical defences and policies and procedures in place for cyber security is essential in today’s threat landscape, but sometimes it just comes down to you or your team recognising that they have a phishing email and not a request to confirm your Microsft 365 password. That is where our cyber security awareness training comes in, to strengthen your technical defences.

Just don’t blame your people if they click on a link – get them to report it so steps can be taken to limit the damage. There is a link between blame and the amount of damage a cyber incident will cause.

Clive Catton MSc (Cyber Security) – by-line and other articles

References

NCSC. (2022). Telling users to ‘avoid clicking bad links’ still isn’t working. National Cyber Security Centre. Retrieved January 10, 2023, from https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working