In the U.S., 35 percent of working-age adults do not know what phishing is. Considering the average office worker can see up to one risky email a day, that’s quite alarming. Clearly, this awareness gap is putting both business data and systems at risk. Factoring end users into the endpoint protection equation just makes sense.
Discussions about phishing prevention are on the rise, which is good. Unfortunately, that’s partially at the expense of organizations and end users. When companies like Google and Amazon make the news because attackers are corrupting their brands in order to propagate phishing scams, there are certainly more conversations — but at the tradeoff of more compromised networks, accounts, and devices.
But even though more and more companies and individuals are falling victim to phishing emails, and publications and news outlets are shining a light on this threat vector, that doesn’t mean end users have a solid awareness of this threat or that they’re actively trying to avoid these types of attacks. Those who do have some sense of the risk phishing messages pose are complicating the matter in another way: overconfidence.
A recent study published by the University of Texas at San Antonio found that a growing reason many end users fall for phishing scams is due to overconfidence; they simply believe they are smarter than the actors responsible for an attack. This is leading to a carelessness that is compromising endpoints with alarming regularity.
Compounding the problem is the fact that phishing messages are becoming more sophisticated. While overconfident users are looking for Nigerian prince emails, attackers are developing more targeted and more detailed messages that are exceedingly sophisticated and difficult for even infosec professionals to spot. And with ransomware on the rise and continuous advances in malware, these attacks can come with some crippling payloads.
The reality is that end users — and their decision-making skills — are attached to a vast number of your endpoints. If you are not continually educating employees about how to spot the evolving techniques and nuances cybercriminals are using to attempt to penetrate your defenses, you are allowing unnecessary risk to percolate within your security chain.
The first step in an effective security awareness training program is assessing employees’ depth and breadth of knowledge, and attempting to identify your organization’s most pressing susceptibilities. Though we’ve talked almost exclusively about phishing within this piece, the reality is that end-user risk management is bigger than email-based attacks. Many of the worst breaches we’ve seen of late weren’t caused by a single mistake, but rather a series of them. Typically, multiple employees could have taken action to stop an attack if they knew what to look for. A comprehensive training program helps to fill in the knowledge gaps, which can mean the difference between a single compromised endpoint, and a major data breach. As such, it’s important to assess your users and figure out where your organization’s gaps and weak links really are.
Some of today’s best security awareness programs incorporate phishing simulations, which allow companies to evaluate end users’ susceptibilities without exposing their networks to an actual attack. To ensure longevity, choose a tool that supports customizable email templates, multiple types of attachments, data entry fields, and the ability to test users’ recognition of embedded links and spoofed senders. Content updates are also critical, as cybercriminals are always coming up with new attack scenarios. Tools that regularly provide new and refreshed templates and materials help to ensure your program remains relevant and effective.
When using assessment tools like simulated attacks, it’s important to have a plan and measurable goals; this will allow you to take your program to another level. A good place to start is measuring failure rates (i.e., interactions with simulated phishing emails). Tools that allow you to dig in and analyze failure rates by user attributes — like department, office location, and manager — give you visibility into important susceptibility metrics and variations between groups, job functions, and geographies. It’s also valuable to be able to identify users who have had multiple failures — so-called “repeat offenders” — as this allows you to work with managers and your HR department to adjust access permissions and develop other escalation paths that will help employees become more careful (and keep your endpoints more secure).
A step that organizations sometimes overlook is delivery of ongoing cybersecurity training. Simulations are great for assessing end users’ ability to detect attacks, but they have a limited ability to educate employees about the breadth of techniques attackers use. The most successful program administrators educate end users about the types of threats they will encounter and give them the knowledge and well-placed confidence — not overconfidence — they need to make good decisions. The most sophisticated programs educate their users multiple times per year, opting for short and easily digestible lessons that don’t just teach new concepts but also help to reinforce previous lessons to prevent knowledge loss. Look for an education tool that offers brief, focused modules that will allow you to regularly provide training without overwhelming end users. If you can automatically assign training to employees who fall for a simulated attack, that’s a great advantage. This allows users to more clearly connect the dots between the phishing simulation and the follow-up education. If you send a simulated attack in January and then don’t provide training until August, you’ve lost any possibility for a logical connection between the two events.
Phishing can have serious impacts on endpoint security, which in turn can affect your organization’s intellectual property, reputation, customer confidence, and other important business indicators. If you are involved with developing an endpoint protection strategy, don’t be foolish and overlook how your end users’ awareness and knowledge (or lack thereof) play into your metrics for success.
By Kurt Wescoe, Chief Architect at Wombat Security Technologies