One of the challenges of working in an organisation as large as the University of Cambridge is sharing data safely and effectively. This challenge triggered a recent conversation about how staff are expected to differentiate legitimate University emails from phishing emails.
It’s not a trivial or facile question; due to the federated nature of the University there are potentially dozens of different addresses you might receive emails from with links to a vast range of cam.ac.uk subdomains. This puts staff in a difficult situation, where the cyber security advice they are given directly conflicts with their everyday experience.
Treat any attachments in unsolicited emails from unfamiliar addresses with caution.
Staff regularly receive legitimate attachments in emails from addresses they don’t recognise.
Treat links to websites in emails from unknown senders with caution.
Staff are frequently sent legitimate links in emails from unknown senders.
Making it difficult
There is a fundamental issue underlying this contradiction between advice and reality. This contradiction makes it very difficult for staff to make well informed decisions about links and attachments in emails. It’s almost impossible to share data via email safely, because determining what is ‘safe’ is nearly impossible.
Digital Communication in the University is often unstructured, unco-ordinated and inconsistent.
There are many layers of defense against phishing emails, and the NCSC has some excellent guidance on this topic. Staff correctly identifying a phishing email is only one of the effective defenses, but it is still worthwhile. Making it easier for staff to differentiate legitimate emails from phishing emails requires co-ordinated communication with a consistent style.
What I’m talking about here is clearly non-trivial, it’s no less than changing the way an organisation communicates. That will require signficant change to behaviour at many levels of the University.
The scale of this problem is daunting enough. Now think about your own personal communication. This too is even more likely to be unstructured, unco-ordinated and inconsistent. Now a difficult problem at work can start to look like an impossible problem at home. If you break it down though, it’s just multiple relationships where the same problems occur. For example; how do you tell the difference between a legitimate email from a family member and one triggered by a malware infection? Whilst the same level of management is impossible, some of the same lessons can still be applied.
This series of posts on ‘Sharing Data safely’ will track my efforts to address the issues of;
- Structure (how communication is arranged and organised),
- Co-ordination (how communication is effective with many different parties involved), and
- Consistency (developing habits amongst those who produce and those who consume information).
If I’m successful, I’d expect to see the following trends;
- Fewer legitimate internal emails flagged to our Service Desk as ‘suspicious’
- Reduction in click through to phishing sites or opening of infected attachments.
There is a lot of good material out there; the NCSC Sociotechnical Security Group, Professor Angela Sasse at UCL, the ACCEPT project at RICSC. I’m sure there’s more to find, so this will be fun, if I can find the time to do it.