Page 43 - Cyber Warnings
P. 43
Phishing Mitigation Must Go Far Beyond Employee Education
By Eyal Benishti, founder and CEO, IRONSCALES
Around the world, phishing attacks have evolved from a matter-of-fact nuisance into an
epidemic in which enterprises, on average, spend $4 million per event to remediate. Perpetrated
by every type of cyber criminal, from nation state threat actors and hacktivists to script-kiddies
and fraudsters, phishing now accounts for 95 percent of all successful cyber attacks worldwide.
In the first quarter of 2016, phishing attacks surged by 250 percent - the highest ever since 2004
- according to the Anti-Phishing Working Group (APWG). These attacks have had the power to
victimize millions of W2 employee data records, for example, in large enterprises like Time
Warner Cable, healthcare networks, and insurance companies, among others.
Further, ransomware, a type of malware used in 86 percent of phishing attacks in which access
to a computer system is blocked until a sum of money is paid, continues to be an increasing
threat perpetrated by more determined and aggressive attackers. According to APWG co-
founder and Secretary General Peter Cassidy, “The threat space continues to expand despite
the best efforts of industry, government and law enforcement.” With a record number of
phishing-related cyber attacks this year already, enterprises must call to question whether their
current phishing mitigation efforts are effective. Most likely, they are not.
The Phishing Band-Aid
Traditional phishing defenses were centered on email filters and anti-virus software, but
organizations soon realized that these solutions were ineffective. The current phishing fix – or
attempted fix – has centered on human intelligence, or the belief that extensive training can
transform ordinary workers into hyper-vigilant phishing detectives.
However, the jury is still out on the effectiveness of employee education. According to the most
recent IBM Security Officer Assessment, “95 percent of information security incidents involve
human error.” In other words, some employees will simply never learn the consequences of opening
a malicious email or downloading a suspicious attachment. Additionally, the average 1000-person
company saves only 10 percent of attack losses as a result of “substantial training and security
awareness activities,” according to the Ponemon Institute.
When searching ‘phishing mitigation’ or similar phrases online, countless articles and organizations
that promote employee education appear in the top results. Yet, with malware, bots, spamming and
spoofing proliferating in frequency and sophistication, organizations must realize that, while
important, education and training alone is simply not enough.
While employee education will continue to play a roll in mitigating phishing attacks, because of the
intrusiveness of employee training, the reliance on employees to report attacks, and the burden put
on security operations center (SOC) teams to remediate attacks, organizations that rely solely on
employee education are likely to remain a primary target for phishing attacks.
43 Cyber Warnings E-Magazine – September 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
