Phishing Ad Nauseam: Is Getting Hooked a Symptom of a Larger Problem?
Phishing attacks have long since evolved from the beleaguered requests of a Nigerian prince, and are by no means going away.
From fake UPS delivery confirmations to notifications that your bank account has been frozen, hackers continue to think of ingenious ways to worm their way into your network. A recent report on spear phishing, a targeted form of phishing, by threat intelligence firm Cloudmark revealed some startling statistics. Of 200 IT decision makers from the U.S., and 100 from the U.K.:
- 95% percent of U.S. and 83% of U.K. respondents experienced spear phishing attacks (91% combined)
- 84% of respondents experienced spear phishing attacks that penetrated their technical security solutions, such as anti-malware software
- 81% suffered some negative impact as a result, with an average financial cost of $1.6 million — and some losses in the tens of millions of dollars
Regarding spear phishing, Angela Knox, senior director of engineering and threat research for Cloudmark, told eWEEK:
“Even though companies are taking actions, it is still one of the easiest ways in. It is much easier for someone to hack a human by going through email than to attempt to find a zero day.”
The Tip of the Iceberg
It’s easy to view a successful phishing attack as a singular event, in which a mistake was made or a detail was missed – the end all, be all of a data breach moment in time. While the results of a successful phishing attack are often devastating to an organization, we believe being victimized in this way may be just the tip of the iceberg, indicating larger organizational problems. Let’s use this analogy:
A stuffy nose, headache, and fever can all be treated individually with various kinds of medications to get relief. But, these symptoms are most often associated with the common cold. If you only treat the symptoms (painkillers for a headache, for example), you’re not addressing the root of the problem. In fact, treating just the symptoms may mean it takes longer for you to address the actual problem – a viral cold. However, taking a more holistic steps against your cold (plenty of water and rest, while your immune system does its job), is often the best path toward being cold free.
We think the same concept applies to an organization whose employee (or employees) fell prey to a phishing scam. The affliction in this case: a lack of cybersecurity awareness.
Susceptibility to phishing can represent a fundamental misunderstanding of security best practices at an organization-wide level. Technical safeguards against phishing attempts are important, but they cannot take up the slack left by a fundamental lack of security awareness in an employee base. If an employee falls for a phishy email, chances are security best practices are not top of mind. Chances are a more holistic approach is needed.
There is Hope
However, an employee falling for a phishing scam is not always something to be ashamed of. Phishy emails continue to evolve, with each new year bringing attempts that are harder and harder to see through.
A McAfee phishing quiz of 30,000 users across 49 countries found that only 6% of respondents could correctly identify all 10 emails as either phishing attempts or legitimate. Eighty percent of all quiz takers fell for at least one phishing attempt.
As the quiz points out, it only takes one email to give an attacker access to your network. It takes vigilance to spot a well-designed phishing attempt. Not all of phishing attempts are as poorly conceived as the classic Nigerian prince scam (or its 21st century cousin, the Nigerian astronaut trapped in space).
Fighting the Phish
Here’s the good news: while your employees may be part of the underlying problem, that also means they’re part of the cure. While Cloudmark did not discuss phishing as a symptom of a larger issue, their report did briefly touch on the importance of awareness training as a way to fight the phish. We couldn’t agree more.
Anti-phishing awareness training will help your employees make better decisions and repel phishing threats. Combining anti-phishing training with simulated phishing attacks lets your employees see first-hand the ingenious ways hackers have devised to get into your network, and how to avoid them. Additional courses on identifying and detecting malware, for example, allow employees to connect the dots on how damaging a phishing attack can be.
But, as Cloudmark’s research points out, training alone is not always enough. The firm’s report found that 56% of respondents trained staff to avoid spear phishing attacks, with only 34% providing ongoing training.
This, unfortunately, comes as little surprise to us. Most organizations we’ve spoken with conduct security awareness training only once a year, and then only for 30 minutes or so.
Call in the Reinforcements
Imagine if school education were based on spending 30 minutes on a topic, followed by an ever-present threat that you could be tested on this topic at any time over the next year. Think of trying to learn all the elements on the periodic table in a single, short cram session. After your time is up, your teacher tells you to leave for the day. But, she tells you she’ll call you back once or a few times within the next year to test you on what you’ve learned.
Sounds pretty rough, doesn’t it? Well, with anti-phishing awareness training that only happens once a year, that’s what many organizations are subjecting their employees to. Employees can face cybersecurity threats like phishing attacks on a daily basis. A few hours of education on these dangers might not be enough.
This is where regular, year-round training and reinforcement comes in. When needed, the best awareness programs will allow deployment of carefully selected reinforcement resources to cement anti-phishing lessons with an organization’s employees on a need-to-know basis.
Additionally, reinforcement works best when it is delivered in creative, resourceful, and fun ways, and when the message varies over time. To this end, a good awareness program will maintain a library of reinforcement content that is deep and wide. Such a library will ideally include, but is not limited to, animations, posters, and games.
From a broad perspective, a holistic approach through security awareness training and reinforcement will pave the way for an organization-wide risk-aware culture. Such a culture will help inoculate an organization against myriad cybersecurity threats for years to come.
Want to learn more about MediaPro’s phishing awareness courses? Contact us to request a demo.