Inside phishing data: What works and doesn’t work with employee training
The headlines are full of horror stories lately about cyberattacks and the havoc wreaked by ransomware. But is ransomware the number one threat in the enterprise? How prevalent are phishing-related breaches? What factors influence susceptibility to phishing? And how can you create the best security awareness training?
Two recent reports attempt to provide answers to these questions.
Dark Reading’s "Strategic Security Survey" highlights the fact that phishing continues to haunt the enterprise, placing ahead of malware and distributed-denial-of-service (DDoS) attacks as the most common cause for data breaches in 2021. In fact, more organizations experienced a data breach last year due to phishing than any other cause: 53% of organizations reported a phishing-related breach compared to malware at 41% and DDoS at 17%. Ransomware-related breaches came up only 13% of the time.
Phishing simulations & training
Clearly, ransomware is a significant threat. However, phishing remains the tried-and-true tool of choice of cybercriminals. It is also the primary route for ransomware incursion. Therefore, attention to phishing detection and prevention should be the number one priority in cybersecurity.
“Ransomware gets all the headlines, but bad actors are working day and night to attack your organization where it is most vulnerable — and that is soft attacks on workers via phishing,” said Greg Schulz, an analyst with StorageIO Group.
“For every dollar spent on technology products and services, similar investments need to go into educating and equipping employees on how to prevent a phishing attack. Like Smokey Bear said, only you can prevent forest fires and only you can prevent a phishing-based ransomware attack.”
Swiss study examines phishing susceptibility
It is timely then that Swiss university ETH Zurich recently concluded a study, "Phishing in Organizations: Findings from a Large-Scale and Long-Term Study." The goals were to find out which employees fall for phishing, whether vulnerability to phishing changes over time, the effectiveness of security awareness training and whether employees can help in the fight against phishing.
The study ran for 15 months and involved more than 14,000 employees at one company. The key findings include:
- Warnings placed on suspicious emails are effective
- Using employees as a collective phishing-detection and crowd-sourcing mechanism is practical in large organizations
- The wrong type of security awareness training during simulated phishing exercises can make employees more susceptible to phishing
Let’s examine each of these and see what lessons can be learned.
Suspicious email warnings
Gmail and other email programs place warnings on emails when suspicious traffic is detected. The study found that this causes employees to take a second look at an email instead of just clicking on it, opening an attachment or providing credentials. Automated phishing detection mechanisms do identify a decent percentage of risky or suspicious characteristics in email traffic.
Researchers noted that such tactics tend to bring a lot of false positives. Legitimate traffic is often flagged, and clever hackers find ways to game the system (i.e., they see which of their phishing campaigns get caught by email programs and adjust their tactics to increase success). Thus, there is a cat-and-mouse game of cybercriminals' success. Algorithm adjustments are made to catch reported phishing emails and lower phishing success. Then the hackers adjust their tactics once again, and the cycle continues.
As the researchers found concerning the phishing warning tactic, “It could not label the email as phishing with sufficiently high confidence (often email filters are tuned to be permissive to avoid too many false positives).”
Email warnings are worthwhile, but like signature-based virus and malware tools, they are not enough.
Crowdsourcing as a phishing deterrent
When the study looked for common denominators among phishing victims, it failed to find a definitive set of employee characteristics related to age, gender or level of computer use that might correlate to phishing susceptibility.
Overall, just under 4% of users performed dangerous actions during the study. There was little difference found between frequent and infrequent computer users. But those using computers in a very specialized setting were slightly more susceptible to phishing. Someone performing highly repetitive data entry, for example, might pay less attention to the warning signs.
Additionally, gender was not found to be a significant factor in susceptibility. Age, however, did demonstrate a pattern. Those in their late teens were much more likely to fall prey to phishing. And the age category least likely? Those over 60. Unfortunately, about a quarter of those fooled by simulated phishing emails during the campaign turned out to be repeat clickers.
The study also found that crowdsourced phishing detection has workability. “Our experiment also demonstrates that large employee bases can collectively retain sufficiently high reporting rates over long periods of time. In summary, this paper is the first to demonstrate that crowd-sourced phishing detection is a practical and effective option for many organizations.”
But again, there were a lot of false alarms. The study found that 68% of phishing alerts from users were accurate. And when good security awareness training is in place, alerts start coming in rapidly — many within five minutes of receipt of phishing emails
Inadequate security awareness training
The study pointed out the dangers of voluntary or sloppy security awareness training. In particular, researchers noted the inadequacy of sending employees that fail a simulated phishing exercise to a web page or lunch-and-learn for educational material about phishing.
ChatGPT training built for everyone
“The combination of simulated phishing exercises and voluntary embedded training (i.e., employees were not required to complete the training) not only failed to improve employee’s phishing resilience, but it actually even the made employees more susceptible to phishing.”
The thoroughness of security awareness training, therefore, is vital. Employees must be required to complete training. That training must engage the employee using gamification, entertaining visuals, and a variety of themes and styles to jumpstart awareness and deliver comprehensive education.
As part of a program to build a culture of security from the ground up, training modules should be tailored to each employee’s role and security aptitude, and augmented by posters, infographics and the many other elements that comprise an effective campaign.
Sources
- Strategic Security Survey, Dark Reading
- Phishing in Organizations: Findings from a Large-Scale and Long-Term Study, ETH Zurich
ChatGPT training
In this Series
- Inside phishing data: What works and doesn’t work with employee training
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization