Proofpoint: Ongoing, Targeted Training Best Defense Against Phishing

A new report by Proofpoint found a 65 percent surge in enterprises compromised by phishing attacks globally in 2018.

The study analyzed tens of millions of simulated phishing emails sent to end users, nearly 15,000 responses from information-security (InfoSec) pros and 7,000 end users surveyed.

Phishing overtook ransomware attacks by an overwhelming margin in 2018. The impact of phishing is significant — attacks contributed to an increase in compromised credentials by more than 70 percent, leapfrogging malware infections to become the most commonly experienced impact in 2018, according to the study.

Proofpoint’s Gretel Egan

According to another recent study – Vade Secure’s Q4 Phishers’ Favorites report – Microsoft remains the No. 1 impersonated brand. One credential can provide hackers with a single entry point to all of the apps under the Office 365 platform – as well as the files, data, contacts and other information stored in them – meaning that they can use these legitimate accounts to conduct insider attacks on colleagues or spear phishing attempts targeting business partners.

Gretel Egan, Proofpoint‘s brand communications manager, tells us the study shows a year-over-year increase in all forms of social engineering, and “we expect these threats to continue growing in scope and sophistication.”

“This presents a market opportunity for people-centric managed services that can proactively identify phishing susceptibility, measure end-user risk, and deliver regular security awareness training,” she said.

There is a common assumption that millennials and younger workers are more adept at identifying a phishing email, but the findings didn’t reflect that, Egan said.

“Baby boomers outperformed all other age groups in fundamental recognition of phishing and ransomware terminology, underscoring why organizations should not assume a younger workforce has an innate awareness of cybersecurity threats,” she said. “All age groups should be considered equally important in a security awareness training program.”

Some 57 percent of InfoSec professionals quantified a reduction in phishing susceptibility because of training programs, highlighting the effectiveness that security-awareness training can have on changing employee behavior, the study revealed. Further supporting this, 59 percent of suspicious emails reported by end users last year were classified as potential phishing, showing employees who are actively educated about malicious emails are being more diligent and thoughtful about the messages they receive, it said.

“When it comes to security awareness training programs, we found that organizations tend to issue fewer simulated phishing tests once they reach the two-year mark of their training program,” Egan said. “The threat landscape is continually changing, and new scams appear weekly if not daily. Rather than scaling back phishing simulations once organizations reach an ‘acceptable’ failure rate, MSSPs should challenge end users with more difficult security tests to keep them thinking and learning. And they should always keep an eye to emerging threats and work those themes into their campaigns, regardless of how long they’ve been testing users.”

MSSPs and other cybersecurity providers should prioritize identifying the specific individuals and/or departments that are considered “very attacked people,” she said. This insight allows organizations to employ a tailored, people-centric security approach that further educates specific departments and individuals on attack techniques and establishes greater security controls for susceptible employees, she said.

“Security awareness training and simulated phishing attacks should span many different themes – corporate, consumer, commercial and cloud – to best gauge the cybersecurity awareness of employees and their ability to recognize and avoid different lures,” Egan said. “Organizations should administer these tests monthly, and more regularly deliver commercial- and cloud-themed campaigns, as those most commonly fool users.”

For organizations that are committed to longer-term security awareness and training initiatives, average failure rates fall steadily as awareness training programs continue, with the most improvements occurring in programs that have been running for at least a year, according to the study.