Why employees fall for phishing attacks

This, you may be thinking, is impossible. How can anyone not know what phishing is? It’s all over the most prominent infosec news sites and even many mainstream news sites. There are studies and statistics around this and they are frequently receiving communications in relation to this.

The average employee is probably a lot more interested in social media memes and Netflix than they are in cybersecurity news and reports. And even if you are sending emails…it’s likely they aren’t reading them (or at least not all of them).

For Wombat’s 2017 State of the Phish report, they commissioned an independent survey of 1,000 U.S. and 1,000 UK working adults about their knowledge of phishing. Though well more than half of those users did know what phishing is (in general terms), 35% of U.S. respondents and 28% of UK respondents did not. That is a sizable awareness gap.

The reality is that if you aren’t regularly communicating to your users in multiple ways and using language and materials that resonate with them, your warnings about phishing are probably not going to resonate.

We tend to favour “security awareness and training” over “security awareness training”. That preference is based on a simple reason: awareness and training are two separate things.

Making your end users aware that a threat exists is not the same as teaching them how to recognize and react to that threat if they encounter it during their day-to-day business activities. It’s great to win the battle of getting your employees to know that phishing attacks are happening within your organization — but to win the war, you need to use anti-phishing training tools to educate your employees about the different types of social engineering tactics attackers will use to try to trick them into clicking…and downloading…and submitting sensitive data.  

This philosophy is a primary reason why they include both simulated attacks and education modules in their Anti-Phishing Training Suite. In addition to providing vulnerability assessments, their ThreatSim Phishing Simulations can be paired with teachable moments, which help organizations raise awareness with end users by providing a “just-in-time teaching” message to anyone who interacts with a simulated attack. This starts to give employees a sense of how their actions can impact data and network security.

But given that one phishing example is just that — one phishing example — follow-up education is a critical piece of end -user risk management. Wombat's security awareness training modules not only explain the different kinds of threats that end users might face, they allow employees to practice applying their knowledge. This interactivity is key to engagement and knowledge retention — and our customers have told us that this approach makes a big difference in how their employees respond to training.

It may sound harsh, but making a 0% vulnerability rate your measure of success is unrealistic. That’s because there is no ignoring the human factor. Humans are fallible. Humans make mistakes - even you. You know stoves are hot, but you occasionally still get burned. 

That said, before you throw up your hands and give up on the idea of security awareness and training, consider this cybersecurity equation:

Educated Human > Aware Human > Unaware Human

Awareness gets your end users thinking about the way they act, and education gives them the knowledge they need to change the way they act. Users who are totally unaware are likely to click on anything and everything — and be none the wiser. Educated users make far better decisions, make far fewer mistakes, and are far more likely to alert you to questionable emails, allowing you and your infosec response team to become more proactive and less reactive.

You allow for imperfection from your spam filter, your antivirus software, and a host of other technical safeguards. You need to allow for imperfection from your end users as well, if only because of the value they bring to your organization. They are your biggest asset, and you need to stop simply writing them off as a liability.

When you couple the human factor with the sheer volume of attacks and the single-minded focus of cybercriminals, it is clear that cybersecurity risks are not going anywhere. According to its Q4 2016 Phishing Activity Trends Report, the Anti-Phishing Working Group (APWG) recorded more phishing activity in 2016 than in any other year since it began monitoring these threats in 2004. (Historically, 2016 showed a 65% increase in phishing attacks compared to 2015, and Q4 2016 saw 5,753% increase over Q4 2004.)

Cybercrime has clearly proven its value to attackers. For the first time, the latest Crime Survey for England and Wales (CSEW) tracked statistics about cybercrime for the full year of its survey period. Out of the 11.8 million identified incidents of crime — which included those affecting both individuals and businesses — 5.6 million were attributed to fraud and computer misuse, which nearly matched all other incidents combined.   

If end user risk management is not part of your cybersecurity plan…what are you waiting for? In specific, a security awareness and training program can offer a cost-effective, result-driven way to quickly impact end user risk and generate improvements over time.

(Blog originally posted by Gretel Egan of Wombat Security Technologies)