Anti-Phishing Campaigns Are Working

A new report about cybersecurity released today offers a number of sobering statistics. One of the most concerning statistics would be that the number of phishing attacks grew by 36% over the past year, and the number of phishing sites grew by 220% over that same period. I say “would” because there is actually some good news to report:

After 12 months of security awareness training, end users are 70 percent less likely to fall for a phishing attempt.

Most news related to cybersecurity can only be described as negative. But this revelation is a positive development. It indicates that when organizations combine phishing simulation campaigns with education about the forms phishing takes and the consequences of falling for it, their employees are significantly less likely to become victims.

Phishing is a kind of attack in which the attacker tries to trick a person into clicking on a link that will lead him or her to a malicious website the attacker manages. That website might persuade the victim to enter login credentials or personal information. The victim is tricked because the website looks legitimate. It might faithfully reproduce the appearance of a site the user usually visits, or it might look sufficiently professional that it seems plausible and trustworthy. Since the attacker manages the malicious site, he will capture the information the victim enters. What he captures could be enough for the attacker to break into a site the victim’s employer controls. Alternatively, the information the hacker collects could become the basis of a social engineering attack, whereby the attacker uses the stolen nugget of information – something nobody outside the company should know – to convince an employee to divulge even more information.

Phishing is an easy attack with a potentially big payoff. It’s easy because it targets security’s weakest link: the human user. Naive by nature and busy by circumstance, we humans often click without thinking. All it takes is one errant click to cause significant harm to an organization. The average phishing attack costs a large company almost $3.7 million annually, and it wastes more than 4 hours of the average employee’s time each year.

Today’s report, however, offers the good news that efforts to educate employees to think before they click are working. Organizations educate their employees about phishing and other kinds of attacks by creating a culture of vigilance. They combine online training from companies such as KnowBe4 with in-person training sessions and automated simulated phishing tests, in which they will send employees a phishing email to test their carefulness and remind them of the signs and consequences of phishing if they fail. Companies also place posters around the complex and regularly rotate them so that employees are constantly reminded of the need to think before they click. By communicating this message to employees repeatedly and in multiple ways, employers make it significantly more difficult for their employees to forget.

Of course, mistakes still happen. We’re humans, and humans err. The good news, however, is that anti-phishing education efforts seem to be paying off. So, let’s keep doing it.

About Ray Klump

Professor and chair of Mathematics and Computer Science Director, Master of Science in Information Security Lewis University http://online.lewisu.edu/ms-information-security.asp, http://online.lewisu.edu/resource/engineering-technology/articles.asp, http://cs.lewisu.edu. You can find him on Google+.

Leave a Reply

Your email address will not be published. Required fields are marked *