Phishing attacks cost an average large company nearly $4 million USD annually, according to new research from the Ponemon Institute. Telecom provider Verizon reported, in its 2015 Data Breach Report, that 23 percent of recipients of phishing emails open them. To make matters worse, 11 percent open the mails and click on the malicious attachments.
Clearly this high potential of being duped by malicious attacks warrants seriously considering how to avoid them entirely. At least some of the people Verizon surveyed would have been exposed to information about what phishing emails and sites look like, such as the descriptions here . Something isn't completely working for security experts to merely tell people, and not show them, how phishing scams look and feel. Practices such as giving employees manuals to study or even films to watch is not fully effective. InfoSec Institute's president Jack Koziol says that employee awareness retention rates are almost doubled 12 months after a simulation program is implemented, at 40% instead of 20%. Its whitepaper on employee training best practices is available here.
Phishing Sim School Is In Session! Image credit: isaiah658 at openclipart.org
Simulated phishing training works
You can send those promised free phishing mails here!
Simulated phishing attack training yields up to a 37 percent return on investment, according to that Ponemon study. Training employees by having them experience, rather than read about, phishing attacks successful, but unfortunately is an underutilized security training tool. Phishing simulation training is “one of the premiere examples of what security training should look like” but that “comprehensive, ongoing simulation-based security training is rare,” a senior director of technology analysis at the Computing Technology Industry Association told CSO Online.
Infosec Institute has generously set up a webapp to help the general public send fake, harmless phishing emails to friends, family and colleagues. The site, Phish.io, is a free phishing simulator that you sign up for and send simulated phishing emails. Infosec Institute assures me that it does not use your information or that of the recipients of the mails for unsolicited promotional emails.
Who will be caught in your phishing simulation?
The Phish.io simulator lets you see who among your friends, family and colleagues "fell for it and who didn't" by providing you with automated real time reports.
Awareness campaigns like Infosec Institute's Phish.io campaign are great step toward educating the public about phishing avoidance. However, the need for formal, effective training is increasing, especially at the corporate level, as the frequency and sophistication of attacks increase. With the free Phish.io service, you can help train your friends, family members and colleagues about phishing attacks. If your mails save even one of them from identity theft over the holidays, it will be worth it.
For more ambitious, commercial training, organizations such as Infosec Institute can provide specialized simulation services to help companies train their employees how to recognize and thwart phishing attacks.
A word of caution
You should be aware before embarking on any workplace use of phishing attack simulations that there is recently a great deal of talk about whether employees who fall for such attacks should be fired or suffer other adverse employment consequences. Most recently, the Department of Homeland Security chief reportedly said he thought that employees who were duped by phishing mails should lose their security clearance.
The National Counterintelligence and Security Center (NCSC) is using simulated phishing attacks, they announced--lending gravitas to the security industry's increasing assertion that training sims are an important adjunct to security information campaigns. The NCSC says it isn't firing employees if they fail the sim test, but rather is submitting the rube to specialized training. Other organization such as brokerage houses use sim phishing emails to test employees, and also don't fire but rather retrain employees who fall for the sim mail.
When considering the use of simulated phishing attacks and the consequences that will befall an employee that fails the simulated test, it would be wise for organizations to consider the consequences that will befall the organization if an employee falls for a real phishing scam that results in the loss of money, personal data, trade secrets, and secret information such as passwords and account information.
Aside from the direct impacts of a phishing enabled breach, organizations need to be cognizant that the FTC is newly empowered to pursue breached organizations and impose penalties for inadequate security levels. In view of all of these factors, organizations should carefully consider using simulated phishing attacks to maximize ROI in that aspect of cybersecurity training, and carefully decide on appropriate disciplinary action to levy for employee failure.
A free full featured demo of InfoSec Institute's anti-phishing training is available here.
