IT staff are more likely to click on phishing links and are often worse at reporting threats than their peers elsewhere in the organization, according to new research from F-Secure.

The security vendor tested over 82,000 participants from four organizations to compile its study, To Click or Not to Click: What We Learned from Phishing 80,000 People. They were exposed to several tactics commonly used by cyber-criminals to steal data, deploy malware and conduct business email compromise (BEC).

Worryingly, in the two organizations studied where technical staff were tested, they showed a greater propensity to click.

In one of the companies, 30% of DevOps and 21% of IT staff clicked on test phishing emails, compared to an average of just 11% for all departments. In the other organization, the rate for DevOps was 26%, slightly higher than the average of 25% overall.

That’s despite more technical staff than the average claiming to be alert to the problem of phishing. In one organization, 17% of respondents said they had noticed a phishing email in their inbox in the past, versus 27% of IT and 29% of DevOps respondents.

In the other, the average for spotting phishing was 44% but shot up to 60% for those working in DevOps.

Technical staff members are also poor at flagging phishing attacks. In one organization, IT and DevOps came third and sixth out of nine departments in terms of reporting. In the other, DevOps was the twelfth best at reporting out of 17 departments, while IT came down in fifteenth place.

Matthew Connor, F-Secure service delivery manager and lead author of the report, claimed that over-confidence might be partly to blame for the results.

“I don’t believe you reduce susceptibility by teaching people about phishing. I believe you reduce susceptibility by making sure staff know the basics and by motivating them to want to spend the time and effort identifying and reporting phishing attacks,” he told Infosecurity.

“It is possible that the technical staff know what phishing is but have too much confidence in the technical protective measures in place and in their own ability to spot attacks. This leads them to be relaxed and susceptible, rather than alert and secure.”

Connor argued that reporting is a crucial link in the corporate security chain to help detect and prevent attacks and build resilience.

“Either technical staff in these organizations genuinely did not spot the phishing attempts and are not as adept as they may think, or they are not following the best practices to support the business,” he concluded.

“Ultimately for me, this study shows that technical staff need just as much support as the rest of the organization in combatting phishing.”

North Korea has experienced an internet outage that may have been caused by a cyber-attack.

The country lost internet access for approximately six hours on Wednesday morning local time. The incident was the second outage to hit North Korea in the past two weeks.

Junade Ali, a cybersecurity researcher who monitors various North Korean web and email servers from a location in Britain, told Reuters that the latest outage could have resulted from distributed denial-of-service (DDoS) attack.

Describing the recent incident, Ali said: “When someone would try to connect to an IP address in North Korea, the internet would literally be unable to route their data into the country.”

Within a few hours of the suspected DDoS attack, servers supporting email were back up and running. However, disruption and downtime continued to impact individual web servers of institutions, including North Korea’s ministry of foreign affairs, the Air Koryo airline, and Naenara – the official portal for the North Korean government.

Seoul-based news site NK Pro, which monitors events in North Korea, reported that log files and network records indicated that websites ending in .kp and hosted on North Korean web domains were mostly unreachable. The reason given for this was that North Korea’s Domain Name System (DNS) had ceased to communicate the routes that data packets are meant to take.

The news site observed that a similar incident had occurred in North Korea on January 14 2022. 

Ali said that how the server outage had occurred connoted that it was “the result of some form of network stress rather than something like a power cut.”

He said that no traffic was being sent to or from North Korea at the apex of the recent attack.

“It’s common for one server to go offline for some periods of time, but these incidents have seen all web properties go offline concurrently. It isn’t common to see their entire internet dropped offline,” said Ali.

He added: “During the incidents, operational degradation would build up first with network timeouts, then individual servers going offline and then their key routers dropping off the internet.”