Lack of cyber training leaving employees vulnerable to phishing attacks
Threats / Lack of cyber training leaving employees vulnerable to phishing attacks
27 June 2019
Dedicated cyber security training imparted to employees by organisations for periods ranging from ninety days to up to twelve months show marked improvements in their ability to detect and to respond to phishing attacks, a new study has found.
Social engineering is regarded by many fraudsters and cyber criminals as an effective tactic to steal enterprise and customer data, to make organisations wire money to them, or to gain access to enterprise IT networks.
The art of social engineering does not require fraudsters to be highly skilled in breaching perimeter security, application-level security or firewalls deployed by organisations, thereby making it possible for countless fraudsters to engage in the activity. Phishers leverage the art of communications, deception, and familiarity to lure employees into taking actions that are in their interest.
Phishing attacks are more successful than ever before
Over the years, fraudsters have mastered the art of social engineering and phishing attacks, so much so that a vast majority of organisations are now aware of CEO fraud, a tactic used by fraudsters to impersonate CEOs and the C-Suite in emails, texts, and other communications to direct employees to take several actions such as wiring money to a supposed vendor, sharing intellectual property via email, or sharing privileged accounts and credentials for internal networks.
Despite the awareness, the success of phishing attacks and social engineering continues abated with employees regularly failing to spot phishing emails that use company lingos and jargons and impersonate known colleagues, superiors, contractors, and vendors.
“No matter how much cybersecurity solutions advance, the human element remains the main vulnerability and often it’s simply because people are trying to be thorough and perform their work duties to the best of their abilities,” said Robert Capps, vice president at NuData Security.
However, a new study carried out by KnowBe4, a provider of security awareness training and phishing simulation, has demonstrated that imparting dedicated cyber security training to employees for prolonged periods goes a long way in helping them to detect and to respond to phishing attacks and social engineering tactics.
Intensive cyber training helping employees to detect phishing attacks
According to KnowBe4, following 90 days of combined computer-based training and simulated phishing security testing, the firm observed a significant drop of 15 percent in the share of employees who fell for phishing attacks. This was observed across industries and organisations of all sizes, be it firms hiring less than 250 employees or those hiring over a thousand of them.
Prior to carrying out the tests, the firm observed that the Phish-prone percentage (PPP) which is an indicator of the number of employees in an organisation who are likely to fall for a social engineering or phishing scam, was particularly high in the construction sector, the hospitality sector, the technology industry, and the energy and utilities sector.
After imparting 90 days of training, the firm noted that PPP in the hospitality sector (firms that hired over 1000 employees) fell from an alarming 48.4% to zero, and organisations in the construction sector hiring over 1000 employes saw their PPP score fall from 36.7% to 15%. Similarly, PPP scored declined remarkably in energy & utilities (34.4% to 13%), insurance (31.2% to 15.3%), and the manufacturing sector (30.9% to 14.6%).
KnowBe4 observed similar results among organisations that hired between 1 and 250 employees and those that hired between 250 and 999 employees. Without any exceptions, all industries, including construction, hospitality, healthcare, legal, insurance, consulting, and business services, demonstrated declines in their PPP scores following 90 days of intensive training imparted to their employees.
It also observed that after employees were made to go through a year of combined computer-based training and simulated phishing security testing, all these industries showed PPP scores in single digits, with transportation, manufacturing, consulting, and hospitality sectors having PPP scores of less than 2 percent.
Organisations must impart continuous training to employees
Based on remarkable improvement it observed among organisations whose employees underwent phishing testing, KnowBe4 recommends that organisations should conduct baseline tests to assess PPP of their users and accumulate necessary data to measure future success, that they should conduct on-demand, interactive, and engaging computer-based training instead of using old-style PowerPoint slides, should carry out social engineering tests at least once a month, and keep measuring results with a goal to reduce PPP to zero.
“This report goes to show how far we still have to go before we can eradicate phishing threats. Cybersecurity training for employees is still nowhere near where it should be. It’s often said that humans are the weakest link in the security chain,” said Craig Cooper, COO of Gurucul.
“People are susceptible to phishing because these attacks exploit basic human nature, like curiosity and pride. Organisations would be wise to ensure that their users know about the potential dangers of clicking links and opening attachments in emails.
“Beyond user training, however, organisations should also monitor user and entity behavior to identify anomalous and suspicious actions. Machine learning algorithms can compare current behavior to previously baselined behavior. Behavior analytics provides the data to identify trends and spot outliers, so you can quickly remediate threats. The behavior is the tell. And, in this case, the behavior of the compromised account would be suspicious and would have been flagged as risky and anomalous by behavioral analytics,” he added.