As the CEO of a leading cyber security education company, I continue to be shocked by the increasing number of successful phishing attacks and what that means to the long-term health of our economy. According to the Anti-Phishing Working Group (an international security industry coalition), phishing attacks worldwide have been reaching all-time highs, and the fraudsters continue to go where the money is. Payment services account for 47% of phishing email subjects, while other financial services firms were 20%, and the retail/service sector made up 11% of the phishing email subjects.
According to a popular fraud report by RSA, the security division of EMC, in 2013 there were nearly 450,000 phishing attacks and record estimated losses of more than $5.9 billion. US companies have the second most costly data per record ($188) and an estimated total cost per breach of $5.4 million, and this does not even include the impact of intellectual property that is stolen through these phishing attacks. Bottom line, the risk of data breaches and the financial damages associated with breaches is significant for companies of all sizes. Phishing remains an ominous threat to consumers and businesses around the world and continues to shift wealth away from the US companies to criminals and other nations.
Enabling the phishers
What many people don’t realize is that company employees are giving cyber criminals everything they need to launch very successful and sophisticated attacks. Uneducated employee use of social networking sites is feeding the phishing problem.
First and foremost, everyone is oversharing personal and company information. This gives new meaning to the term “TMI” (Too Much Information). We are oversharing too much information on social networking sites, including everything from our birthdays and anniversaries to our kids' names, our friends' names, our co-workers, what we like, what we are doing at work, and more. All of this information can be used to create very targeted and believable phishing attacks to get employees to click links to malicious sites, download computer viruses, or give away our user names and passwords.
In addition to the oversharing, there are many other risky behaviors in social media:
- 39% of users don’t log out after each session
- 25% share their passwords
- 31% connect with people they don’t know
As a result, 15% of social media users have had their profiles hacked and impersonated. On the surface, 15% of social media users being compromised doesn’t seem like many. But consider that right now there 1.4 billion people on Facebook alone. That equates to an astounding 210 million people who have potentially had their profiles hacked and impersonated, giving criminals even more information to create targeted attacks on a growing percentage of the population.
What is the best way to combat phishing attacks?
According to Deloitte, over 70% of companies surveyed in a recent study rated lack of employee security awareness as a vulnerability. There’s a good reason for this rating. Security technology, the first approach to protecting a corporate IT infrastructure, is proving itself ineffective in protecting against phishing attacks (otherwise known as social engineering attacks). It takes an educated human to identify when “something doesn’t seem quite right about this” so he or she can avoid an attack. Of course, employees can only do this if they have the knowledge to spot an attack in progress and avoid opening themselves or their employer to it.
Yet even with the profound statistics on the cost to companies and the US economy, 4 out of 10 organizations still don’t provide any ongoing security education to their staffs. Meanwhile, according to a PWC survey, organizations with a security awareness program in place were 50% less likely to have staff-related security breaches.
Its starts with training employees to avoid phishing attacks
If you think about it, individuals are most aware of their security behavior at work, where careless errors can be detected and frowned upon by employers. Fortunately, corporate security education programs are beginning to advance beyond a compliance officer checking a box that an employee read the security policy, or static PowerPoint presentations, or the dreaded hour-long video training.
Today, education in the form of engaging software programs, security education games, and even using mock attacks to catch employees in the act and educate them on the spot are making an impact. These methods keep the cutting edge of phishing schemes top-of-mind for employees, and the learning lasts longer than other education methods. To be most effective, cyber security education must be continuous to maximize learning and lengthen retention of the learned topics. A continuous cycle of assessing knowledge and vulnerability levels, providing education, and follow-up evaluation has been proven to provide reduced vulnerability and ensure users retain the training content delivered.
It’s time for a big change
Phishing attacks aren’t going away any time soon. The mindset that eventually someone will find a technology that prevents these types of attacks is wishful thinking, considering the increasingly sophisticated threats at hand. Executive management and information security teams have a responsibility to their organizations, their shareholders, and their customers to effectively teach employees how to recognize and avoid these attacks. The right approach to change user behavior is not difficult to implement but requires a consistent model of education and training to keep employees away from the pitfalls. Without this mindset, phishing threatens to continue its negative impact on companies and the US economy.