by Mendy Newman
Posted on July 25, 2023
A stunning 90% of corporate security breaches are believed to begin with a phishing attack.
So, it’s not surprising that phishing training, the “obvious” first line of defense is a big growth business. Cybersecurity Ventures predicts that global spending on cybersecurity awareness training will top $5 billion this year and will reach $10 billion by 2027.
An article in Cybercrime Magazine quotes Kathy Hughes, CISO for the largest healthcare system in New York, who says,
“Security awareness and training is the most important thing a CISO is responsible for. For all the investment in security technologies that any company makes it just takes one person clicking on one link that bypasses all those technologies in order for an organization to really become crippled.”
Given the enormous sums being spent on phishing training, there are many studies that attempt to evaluate the effectiveness of the training. One study on high-risk employees working in healthcare used a combination of simulated phishing attacks and training to evaluate the effectiveness of mandatory training. With 5,146 employees evaluated, the authors report,
The mandatory training program, initiated after campaign 15, did not have a substantial impact on click rates, and the offenders remained more likely to click on a phishing simulation.
During the course of the study, 82% of the users clicked on at least one phishing email, and 65% clicked on two.
Another study reported on in an IEEE journal compared the effectiveness of different types of training. During 12 weeks of simulated phishing attacks, 34% of users clicked through on a simulated malicious email. Unlike the healthcare study, this one, which involved 31,000 participants, did find a statistically significant improvement after user training. The best training scheme reduced clickthroughs on simulated phishing emails by 12%. The study also found that users were less likely to fall victim to credential theft than to click on an infected link. Apparently, people are more careful about sharing their credentials. “Only” 5% of users submitted their credentials, versus 11% who clicked on phishing links.
Given that it only takes one phishing email to result in a major cybersecurity breach, a 12% improvement is not going to protect your company – not with 11% of users clicking on links, and 5% handing over credentials.
Many phishing attacks use a spray-and-pray approach: Send the same generic email to millions of users, hoping to catch a few who are unaware of the warning signs of phishing, easily discomfited by “urgent” appeals, or happen to be distracted and insufficient attentive at the particular moment the email is received.
Anti-phishing training might help some of those users avoid obvious attacks. The greater danger is with spear-phishing, emails that are carefully crafted for a specific target. Attackers use social media to learn about the potential victim. These malicious emails can be very sophisticated: They often look completely legitimate and may seem to be from a mainstream organization in which the user has an actual interest. Spear-phishing often targets “big game,” individuals such as the CEO or CFO of an organization, who are authorized to execute financial transactions.
These “whale phishing” attacks may be so convincingly crafted that even a very sophisticated user will click through to a malicious URL, setting in motion an attack chain that can result in stolen data, fund transfers, or the start of a ransomware attack.
One cybersecurity report found that the average organization receives 5 spear-phishing emails each and every day, more than 1,700 a year. They found an 11% click-through rate on spear-phishing emails (a rate that would please many direct marketers!)
Phishing training is like playing with damp matches near a pile of dry tinder. Most won’t catch fire. But if one does, the damage can be serious and hard to contain.
Even organizations that swear by phishing training are well aware that some users will, at some point, click on the wrong links. To cover those cases, they rely on threat detection and response. If a security team can detect a threat fast enough, the thinking goes, they can respond quickly and stop the attack in its tracks, before it spreads and causes a great deal of damage.
The theory is sound but in practice, most organizations are not good at implementing rapid detection and response. It typically takes 100 hours to effectively identify a malicious email and put protective measures in place after it has been delivered. One organization in five takes over 24 hours just to identify the attack, leaving plenty of time for an unsuspecting user to click on the wrong link or respond to the wrong email.
But even if your organization is a whiz at detection and response, there are undoubtedly some occasions when fast just isn’t fast enough, and damage is done in near real time.
There is a much better alternative to anti-phishing training than detect and response, and that’s to prevent malicious emails from delivering malware, and to render malicious URLs harmless.
With Web Isolation, the user browses the web by way of an isolated, cloud-based virtual browser. Only safe rendering data is sent to the user browser; website code never reaches the user’s device. If a user clicks on an infected link, the activated malware remains in the cloud, remote from the user device – and organization’s network.
Ericom’s implementation of browser isolation includes Content Disarm and Reconstruction (CDR) capabilities. Within the isolated cloud environment, weaponized email attachments are sanitized of malware and reconstructed with all desired functionality intact. As a result, users can open attachments without concern that they might be infected.
To prevent phishing-triggered credential theft, Ericom Web Isolation can be set to open unknown websites in “read-only” mode. So even when a site is sufficiently well-spoofed to convince users to “log in”, they are simply unable to enter credentials.
Web Isolation takes a Zero Trust approach to cybersecurity, meaning that no website, web app or attachment is trusted without validation. Since websites can never be fully validated as secure, Ericom Web Isolation enables users to browse without trusting web content to reach the endpoint. This is particularly crucial in today’s IT environment, in which the perimeter has simply ceased to exist. Users that may be anywhere — in the office, at home, or on the road, must be able to access the web securely and without putting organization data, apps or networks at risk.
Zero Trust is a different cybersecurity paradigm. With Zero Trust all users and all traffic are viewed as potentially dangerous. A full Zero Trust implementation includes much more than web isolation. It includes additional features such as:
Ericom’s ZTEdge is an easy-to-manage Security Service Edge (SSE) that provides the capabilities and benefits of a comprehensive Zero Trust-based platform in a cost-effective and simple to implement fashion.
Even sophisticated and trained users can – and do — fall for phishing attacks, the initial attack vector for 90% of security breaches. Now is the time to implement a better approach to protecting your IT assets.
QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.
Malicious cyber activity represents a growing threat to Australia's security and prosperity. Read on for important guidance on protecting your organization.
Risk assessment is a key factor in investment decisions. Now, with SEC disclosure rules in effect, investors can more easily take cyber risk into account.