Phishing attacks are commonly regarded as one of the greatest cyber threats against corporate networks. The improvement in malware detection and automated scanning technologies has raised the bar for traditional attacks, leading hackers to focus on corporate cybersecurity’s weakest link – the employees. Over 95% of successful cyberattacks begin as a phishing campaign, so obviously, this attack vector is working for attackers. Also, the average successful phishing attack costs an organization 1.6 million dollars, according to PhishMe's Enterprise Phishing Resiliency and Defense Report, 2017 which examined controlled phishing activity and susceptibility at global organizations across 23 industries. Thus, with the increased penalties for a cyber data breach, a phishing attack can have a major impact on an organization’s bottom line.
The effectiveness of phishing attacks has not gone unnoticed, most organizations have implemented phishing training – designed to train employees to recognize potential phishing attacks, and appropriate responses according to company policy. According to Verizon's 2018 Data Breach Investigations report, on average, 30% of phishing emails are opened and 12% of users will click on a malicious link or open a malicious attachment contained within a phishing email.
The main issue with traditional anti-phishing training is that it follows the same template as other corporate training. Employees are presented with eLearning presentations where they are expected to spend an hour clicking through slides and listening to a voiceover explain everything that they need to know about phishing attacks and the relevant corporate policy. The competition with other required corporate training and the limited time budget for training means that these cybersecurity hours are few and far between, and often regurgitate the same information as “refresher training”.
Visit Innovation Enterprise's Chief Technology Officer Summit in San Francisco on November 7–8, 2018
The main issue with this approach to cybersecurity training is that it simply does not adequately prepare employees to face the cyber threats that they face in their day-to-day life. The landscape of phishing attacks changes on a daily basis as new attack vectors and pretexts are introduced, retired and brought back.
For a period of time in 2017, Microsoft’s Dynamic Data Exchange (DDE) functionality was a big deal. DDE was built into Microsoft Office products that allow any Office program to run any other program on the computer. While the program is required to notify the user of the program to be run, the name of the program was truncated. By taking advantage of how computers traverse folders, an attacker could run any program on the computer while having the request show the path to a Microsoft Office executable.
Since most users would find launching Office plausible, this can be a viable phishing attack vector until Microsoft patched it. However, the window of effectiveness of DDE attacks was so short that users may not see in their training session and would lose the opportunity to protect the system and it would be ineffective by the user’s next scheduled anti-phishing training session. The scope and mutability of the phishing threat make traditional, scheduled cybersecurity training largely ineffective.
For anti-phishing training to be effective, it needs to be timely and to empower employees to make the right decisions at the right times. Rather than providing employees with training, in short, irregular bursts and then expecting them to remember the necessary details when the time is right, it would be far more effective to cultivate a basic level of cyber awareness supplemented with specific information when faced with a threat.
Phishing simulations are a common technique used to train users to identify cyber threats. By placing cybersecurity training within the context of their day-to-day lives, organizations attempt to foster a defensive mindset and train employees to recognize threats outside of training. While a step in the right direction, phishing simulations have three major shortcomings.
First, simulation emails are limited by the ingenuity of their creators. As new phishing pretexts and attack vectors emerge, there is a delay between the beginning of the threat and the beginning of relevant training as trainers develop and deploy new simulation emails. Second, phishing simulations may create an adversarial relationship between trainers and employees who believe that their employers are trying to trick them into a mistake. Finally, the training provided by phishing simulations still comes at the wrong time. While simulations teach threat recognition, there is no guarantee that the training will stick until the employee is faced with the relevant threat; whether that’s the next week, day, or the next email.
Some email services show warning banners to users when their analysis determines that a given email is suspicious. However, these banners are often only designed to warn that an email is suspicious without providing specific details of why the email is considered as potentially suspicious, how to determine whether or not the action should be considered a threat, or what the appropriate action is to take if a threat is identified. By providing users with the information used to determine that an email is suspicious and relevant training and corporate policy information, organizations empower their employees to make informed decisions about potential threats and create an environment where a defensive cyber mindset is encouraged.
Traditional cybersecurity training methods simply are not adequate to protect against the threat of phishing emails in the modern work environment. Rather than relying on employees memorizing and recalling training material when it becomes relevant, organizations should design their cybersecurity training to empower their employees by presenting them with the information to make the right decisions efficiently.