Security

09:20 AM
Joe Ferrara
Joe Ferrara
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Phishing Scams at All-Time High, Employee Training Not Keeping Pace

Phishing attacks aren't going away any time soon. The mindset that eventually someone will find a technology that prevents this type of attack is wishful thinking.

As the CEO of a leading cyber security education company, I continue to be shocked by the increasing number of successful phishing attacks and what that means to the long-term health of our economy. According to the Anti-Phishing Working Group (an international security industry coalition), phishing attacks worldwide have been reaching all-time highs, and the fraudsters continue to go where the money is. Payment services account for 47% of phishing email subjects, while other financial services firms were 20%, and the retail/service sector made up 11% of the phishing email subjects.

According to a popular fraud report by RSA, the security division of EMC, in 2013 there were nearly 450,000 phishing attacks and record estimated losses of more than $5.9 billion. US companies have the second most costly data per record ($188) and an estimated total cost per breach of $5.4 million, and this does not even include the impact of intellectual property that is stolen through these phishing attacks. Bottom line, the risk of data breaches and the financial damages associated with breaches is significant for companies of all sizes. Phishing remains an ominous threat to consumers and businesses around the world and continues to shift wealth away from the US companies to criminals and other nations.

Enabling the phishers
What many people don’t realize is that company employees are giving cyber criminals everything they need to launch very successful and sophisticated attacks. Uneducated employee use of social networking sites is feeding the phishing problem.

First and foremost, everyone is oversharing personal and company information. This gives new meaning to the term “TMI” (Too Much Information). We are oversharing too much information on social networking sites, including everything from our birthdays and anniversaries to our kids' names, our friends' names, our co-workers, what we like, what we are doing at work, and more. All of this information can be used to create very targeted and believable phishing attacks to get employees to click links to malicious sites, download computer viruses, or give away our user names and passwords.

In addition to the oversharing, there are many other risky behaviors in social media:

  • 39% of users don’t log out after each session
  • 25% share their passwords
  • 31% connect with people they don’t know

As a result, 15% of social media users have had their profiles hacked and impersonated. On the surface, 15% of social media users being compromised doesn’t seem like many. But consider that right now there 1.4 billion people on Facebook alone. That equates to an astounding 210 million people who have potentially had their profiles hacked and impersonated, giving criminals even more information to create targeted attacks on a growing percentage of the population.

What is the best way to combat phishing attacks?
According to Deloitte, over 70% of companies surveyed in a recent study rated lack of employee security awareness as a vulnerability. There’s a good reason for this rating. Security technology, the first approach to protecting a corporate IT infrastructure, is proving itself ineffective in protecting against phishing attacks (otherwise known as social engineering attacks). It takes an educated human to identify when “something doesn’t seem quite right about this” so he or she can avoid an attack. Of course, employees can only do this if they have the knowledge to spot an attack in progress and avoid opening themselves or their employer to it.

Yet even with the profound statistics on the cost to companies and the US economy, 4 out of 10 organizations still don’t provide any ongoing security education to their staffs. Meanwhile, according to a PWC survey, organizations with a security awareness program in place were 50% less likely to have staff-related security breaches.

Its starts with training employees to avoid phishing attacks
If you think about it, individuals are most aware of their security behavior at work, where careless errors can be detected and frowned upon by employers. Fortunately, corporate security education programs are beginning to advance beyond a compliance officer checking a box that an employee read the security policy, or static PowerPoint presentations, or the dreaded hour-long video training.

Today, education in the form of engaging software programs, security education games, and even using mock attacks to catch employees in the act and educate them on the spot are making an impact. These methods keep the cutting edge of phishing schemes top-of-mind for employees, and the learning lasts longer than other education methods. To be most effective, cyber security education must be continuous to maximize learning and lengthen retention of the learned topics. A continuous cycle of assessing knowledge and vulnerability levels, providing education, and follow-up evaluation has been proven to provide reduced vulnerability and ensure users retain the training content delivered.

It’s time for a big change
Phishing attacks aren’t going away any time soon. The mindset that eventually someone will find a technology that prevents these types of attacks is wishful thinking, considering the increasingly sophisticated threats at hand. Executive management and information security teams have a responsibility to their organizations, their shareholders, and their customers to effectively teach employees how to recognize and avoid these attacks. The right approach to change user behavior is not difficult to implement but requires a consistent model of education and training to keep employees away from the pitfalls. Without this mindset, phishing threatens to continue its negative impact on companies and the US economy.

Joe Ferrara, President and CEO of Wombat Security Technologies, a leading provider of security education to change employee behavior. Mr. Ferrara has provided expert commentary and has spoken at numerous information security industry events including CIOSynergy, Credit Union ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
9/8/2014 | 8:26:18 AM
Re: sharing passwords?
Some media professionals tweet all day long. I doubt they are logging off of their accounts to protect against cyber intruders. I don't think someone who works for a bank would be doing this, so maybe this is a moot point. As a safety check, some sites, like Hoosite, require automatically log the user out after a certain amoutn of time has passed.
NJ_trader
50%
50%
NJ_trader,
User Rank: Moderator
9/4/2014 | 6:43:49 AM
sharing passwords?
25% of social media uers share passwords? Wow! Of course they are going to be hacked. Yikes.
More Commentary
SCI: A Whale of a Regulation
The SEC's Reg SCI weights in at a whopping 742 pages. Here is what you need to know about the oversized regulation.
One Size Fits Nobody in End User Services
How building profiles from employees' roles and behaviors can help optimize your end user services.
'Enlightened' Non-IT Execs More Likely To Run Secure Organization
Do senior executives understand their role in data security? On the whole, unsurprisingly, no.
No Screwups, Please, We’re Banks
Changing a bank's culture is not going to happen overnight, but having the right tools and levers in house will surely make a big difference over time.
You’re Doing BYOD Wrong: These Numbers Prove It
Almost 40% of users who connect personal mobile devices to corporate networks have no lock-screen mechanism set in place.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video