Inside phishing data: What works and doesn’t work with employee training
The headlines are full of horror stories lately about cyberattacks and the havoc wreaked by ransomware. But is ransomware the number one threat in the enterprise? How prevalent are phishing-related breaches? What factors influence susceptibility to phishing? And how can you create the best security awareness training?
Two recent reports attempt to provide answers to these questions.
Dark Reading’s “Strategic Security Survey” highlights the fact that phishing continues to haunt the enterprise, placing ahead of malware and distributed-denial-of-service (DDoS) attacks as the most common cause for data breaches in 2021. In fact, more organizations experienced a data breach last year due to phishing than any other cause: 53% of organizations reported a phishing-related breach compared to malware at 41% and DDoS at 17%. Ransomware-related breaches came up only 13% of the time.
Clearly, ransomware is a significant threat. However, phishing remains the tried-and-true tool of choice of cybercriminals. It is also the primary route for ransomware incursion. Therefore, attention to phishing detection and prevention should be the number one priority in cybersecurity.
“Ransomware gets all the headlines, but bad actors are working day and night to attack your organization where it is most vulnerable — and that is soft attacks on workers via phishing,” said Greg Schulz, an analyst with StorageIO Group.
“For every dollar spent on technology products and services, similar investments need to go into educating and equipping employees on how to prevent a phishing attack. Like Smokey Bear said, only you can prevent forest fires and only you can prevent a phishing-based ransomware attack.”
Swiss study examines phishing susceptibility
It is timely then that Swiss university ETH Zurich recently concluded a study, “Phishing in Organizations: Findings from a Large-Scale and Long-Term Study.” The goals were to find out which employees fall for phishing, whether vulnerability to phishing changes over time, the effectiveness of security awareness training and whether employees can help in the fight against phishing.
The study ran for 15 months and involved more than 14,000 employees at one company. The key findings include:
- Warnings placed on suspicious emails are effective
- Using employees as a collective phishing-detection and crowd-sourcing mechanism is practical in large organizations
- The wrong type of security awareness training during simulated phishing exercises can make employees more susceptible to phishing
Let’s examine each of these and see what lessons can be learned.
Suspicious email warnings
Gmail and other email programs place warnings on emails when suspicious traffic is detected. The study found that this causes employees to take a second look at an email instead of just clicking on it, opening an attachment or providing credentials. Automated phishing detection mechanisms do identify a decent percentage of risky or suspicious characteristics in email traffic.
Researchers noted that such tactics tend to bring a lot of false positives. Legitimate traffic is often flagged, and clever hackers find ways to game the system (i.e., they see which of their phishing campaigns get caught by email programs and adjust their tactics to increase success). Thus, there is a cat-and-mouse game of cybercriminals’ success. Algorithm adjustments are made to catch reported phishing emails and lower phishing success. Then the hackers adjust their tactics once again, and the cycle continues.
As the researchers found concerning the phishing warning tactic, “It could not label the email as phishing with sufficiently high confidence (often email filters are tuned to be permissive to avoid too many false positives).”
Email warnings are worthwhile, but like signature-based virus and malware tools, they are not enough.
Crowdsourcing as a phishing deterrent
When the study looked for common denominators among phishing victims, it failed to find a definitive set of employee characteristics related to age, gender or level of computer use that might correlate to phishing susceptibility.
Overall, just under 4% of users performed dangerous actions during the study. There was little difference found between frequent and infrequent computer users. But those using computers in a very specialized setting were slightly more susceptible to phishing. Someone performing highly repetitive data entry, for example, might pay less attention to the warning signs.
Additionally, gender was not found to be a significant factor in susceptibility. Age, however, did demonstrate a pattern. Those in their late teens were much more likely to fall prey to phishing. And the age category least likely? Those over 60. Unfortunately, about a quarter of those fooled by simulated phishing emails during the campaign turned out to be repeat clickers.
The study also found that crowdsourced phishing detection has workability. “Our experiment also demonstrates that large employee bases can collectively retain sufficiently high reporting rates over long periods of time. In summary, this paper is the first to demonstrate that crowd-sourced phishing detection is a practical and effective option for many organizations.”
But again, there were a lot of false alarms. The study found that 68% of phishing alerts from users were accurate. And when good security awareness training is in place, alerts start coming in rapidly — many within five minutes of receipt of phishing emails
Inadequate security awareness training
The study pointed out the dangers of voluntary or sloppy security awareness training. In particular, researchers noted the inadequacy of sending employees that fail a simulated phishing exercise to a web page or lunch-and-learn for educational material about phishing.
“The combination of simulated phishing exercises and voluntary embedded training (i.e., employees were not required to complete the training) not only failed to improve employee’s phishing resilience, but it actually even the made employees more susceptible to phishing.”
The thoroughness of security awareness training, therefore, is vital. Employees must be required to complete training. That training must engage the employee using gamification, entertaining visuals, and a variety of themes and styles to jumpstart awareness and deliver comprehensive education.
As part of a program to build a culture of security from the ground up, training modules should be tailored to each employee’s role and security aptitude, and augmented by posters, infographics and the many other elements that comprise an effective campaign.
- Strategic Security Survey, Dark Reading
- Phishing in Organizations: Findings from a Large-Scale and Long-Term Study, ETH Zurich