Thwarting Phishing Threats With Simulations
This article first appeared on Security Boulevard.
Social engineering schemes continue to flourish, making their way into company inboxes with the intent to mislead employees into downloading malicious software. These schemes appear fraudulent to those familiar with phishing. But for employees not educated about such attacks, or anyone busy and rushing to get their job done, it’s easy for mistakes to happen.
In large enterprises with thousands or tens of thousands of employees, thwarting 99.9% of these attempts simply isn’t good enough. All it takes is one person to click—to download that attachment or provide credentials or financial data—and hackers have a way into a network and foothold to launch devastating attacks.
For instance, malware like ransomware, once inside a perimeter, can snake its way through a user’s system and into the larger company network. Typically, an effective enterprise-scale ransomware attack won’t be noticed for about 10 days, silently encrypting files and data spreading without anyone being aware. Then, files begin locking users out, snowballing across a company until IT is alerted—but too late to stop the damage.
So, how likely is this to happen to your company? According to research from SonicWall Capture Labs, there were a record-high 304.7 million attempted ransomware attacks in the first half of 2021 alone, topping the total amount of incidents for all of 2020.
Short answer: It’s very likely.
Identifying Phishing Threats
You can try next-gen firewalls, the latest email security features and tools, but no matter how much you spend or what you try, phishing emails are going to get through. That said, employee awareness, education and training remain the best line of defense against these types of cybersecurity scams.
For starters, ransomware emails tend to share common characteristics and flaws that can signal to employees that they might not be legitimate. These tip-offs include:
Awkward grammar, typos and misspellings
An inflated sense of urgency encouraging immediate action
Vague sender details such as coming from an “account processor”
An illegitimate domain signaled by incorrect spelling or use of a subdomain
The 2020 Gartner Market Guide for Email Security can help companies prepare for emerging email threats and better identify hacker techniques. Programs are also available to educate and train employees about the dangers of phishing and how best to identify fraud. Security awareness training is also recommended on at least an annual basis so workers can remain abreast of the latest tricks and preventative tips.
And it doesn’t hurt to bring in outside cybersecurity consultants for in-person training. This not only emphasizes the seriousness of threats to employees, it demonstrates a company’s commitment to eliminating them.
Still, the most effective way to teach employees about phishing is by actually phishing them. As a result, managed phishing services have quickly grown in popularity. These test the knowledge and attentiveness of employees while delivering effective education in real-time to ensure users can thwart cyberattacks before they occur.
For example, those providing the service may pose as a company’s managed services provider (MSP), regularly targeting employees with controlled mock phishing attacks. Should a user take the email bait and click, they’re taken to in-the-moment training for further education and pointers so they’ll avoid falling for traps in the future.
A phishing simulation can use attachments or steal credentials or a number of other actions but, regardless of the approach, it’s important for a company to receive a detailed report from the service provider afterward. Foremost, you want visibility into metrics such as click-through rates, locations and endpoint analysis. And, employee training completion should also be verified and reported—this is what instills employee accountability.
The Cost of Security
A survey by Sophos shows the cost of recovery from a ransomware attack has more than doubled in the past year. The cost of remediating the damage—which also includes factors like downtime and sales losses—grew from roughly $761,000 to more than $1.8 million. This makes the cost of recovery more than 10X the average ransomware payment. And even for those that pay up, only 8% get back all their data with one-third only getting back half, at the most.
That said, simulation campaigns should be conducted with regularity—quarterly or more frequently as needed. Those providing such services can draw from an array of content and formats to keep testing fresh and challenging while developing additional models based on new hacker data. Following up with training, especially interactive video and assessments, can reinforce critical phishing education and cybersecurity hygiene—and the right provider should be able to deliver that, too.
Phishing simulations are one of the most cost-effective methods for delivering an experience users will remember about the dangers of social engineering and the importance of safe cybersecurity and email practices. And protection from phishing and ransomware does not have to include a sky-high price tag, as long as it’s grounded in education.