Security Awareness Training: Can Your People be Patched?
By: Jane Wasson |@Area1Security | Area 1 Security
Some things just go together: Bacon and eggs, peanut butter and jelly, Batman and Robin, anti-phishing tech controls and security awareness training.
Phishing attacks continue to be the root cause of 95 percent of cyber breaches. That’s why Gartner advises CISOs to make anti-phishing a top security project for 2018. Specifically, they recommend CISOs combine anti-phishing technical controls and security awareness training to best reduce risk and protect from breaches. For organizations that are experiencing successful phishing attacks against their employees, Gartner suggests deploying anti-phishing technical controls as the primary strategy to block as many attacks as possible and implementing security awareness training as a supplement to those controls.
Why Both Technical Controls and Training?
On its own, security awareness training isn’t sufficient to defend against phishing attacks. The good news is that awareness training helps reduce phishing risk. Security awareness vendors report that after their customers execute a training program, employee susceptibility to interacting with phishing emails is reduced from approximately fifty percent before training, to about fifteen percent after training.
That’s good progress, but it takes only one successful phishing email to breach your organization. Let’s look at the math:
So even after training, there’s still a risk that 3000 employees are susceptible to phishing, and that’s 3000 too many, since it only takes one click for a phishing attack to succeed and breach your network. The odds are in favor of threat actors when security awareness alone is relied on to protect against attacks.
Security Awareness Alone Can’t Stop Phishing Breaches
Organizations are often required to deploy security awareness training to meet regulatory, legal, or industry requirements, but even when organizations are required to implement training, recent cybersecurity incidents demonstrate that phishing attacks still succeed. For example, the Health Insurance Portability & Accountability Act (HIPAA) §164.308.(a).(5).(i) requires that healthcare organizations implement a security awareness and training program for all members of their workforce. Despite this, we’ve still seen multiple successful phishing attacks in the healthcare industry over the past year. Here are a few recent headlines :
- 1.4 million patient records breached in UnityPoint Health phishing attack. UnityPoint Health notified 1.4 million patients that their records may have been breached when its business system was compromised by a phishing attack.
- Thousands of patients’ data stolen after Children’s Mercy employees fall for scam. A phishing attack targeting employees at Missouri-based Children’s Mercy Hospital may have compromised PHI on more than 60,000 individuals.
- Phishing attack breaches 38,000 patient records at Legacy Health. The hackers went undetected for several weeks at this Portland, Oregon-based health system.
The financial industry is also subject to meeting regulatory requirements for security training. The Gramm-Leach-Bliley Act (GLBA) specifies information security training requirements via its GLBA Safeguards Rule, 16 CFR 314.4., and yet we’ve seen multiple successful attacks against this industry in the past:
- Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M. Hackers used phishing emails to break into a Virginia bank in two separate cyber intrusions over an eight-month period, making off with more than $2.4 million.
- Frost Bank Says Data Breach Exposed Check Images. Frost Bank, a subsidiary of Cullen/Frost Bankers, Inc., announced that it discovered the unauthorized access to images of checks stored electronically. The information that was accessed as part of the incident could be used to forge checks, the company says.
So, while security awareness training helps organizations meet their regulatory and legal requirements to educate employees, it’s clear from these incidents at organizations subject to security awareness training requirements that training doesn’t stop phishing breaches.
Further, not only do phishing breaches still occur after security awareness training is implemented, but the cost of training can be significant. Also, managing training programs can take resources away from critical business initiatives. Plus, employees often view security training, and the responsibility of taking the time to analyze and evaluate whether an email or a link seems authentic, as a hindrance to productivity. Training can also leave a false sense of security because copyright laws restrict the use of brand logos without the brand’s permission. So spoofed test emails are easier for employees to recognize than hacker phishing emails because hackers don’t care about copyright laws and use logos without the brand’s permission. Lastly, business today is mainly online. Security awareness training can make employees fearful of online interactions and can be counter-productive to getting work done.
Gartner Recommends Organizations Deploy Advanced Anti-phishing Technical Controls
To best protect from phishing breaches, Gartner recommends organizations deploy advanced technical controls to block as many phishing attacks as possible, supplementing any user training or awareness programs that are already in use.
Specifically, organizations should look towards next-generation technical controls to block phishing attacks at the outset and close the current gaps that exist. Area 1 Security is honored to have been mentioned by Gartner at their 2018 Security Summit as a “state-of-the-art technology” that helps stop phishing.
Gartner highlighted how Area 1 is like a Google, preemptively crawling the world’s websites and using big data and machine learning to identify phishing sites as they’re constructed, and then proactively blocking attacks before they impact customer end users.
Get Ahead of Phishing Attacks
If your organization is struggling to get ahead of phishing attacks and overly reliant on legacy defenses or user training, Area 1 Security can help immediately close that gap, in a comprehensive and accountable way. To learn more, watch the webinar.
