Phishing Education & Awareness Training

Some things just go together: Bacon and eggs, peanut butter and jelly, Batman and Robin … anti-phishing technology and security awareness training.

Phishing attacks continue to be the root cause of 95 percent of cyber breaches (a fact we hope you won’t forget amongst all the other things you’ll see/hear/read during Cyber Security Awareness Month). And in its latest 2020 Market Guide for Email Security (ID: G00722358) Gartner continues to recommend anti-phishing behavioral conditioning (aka security awareness training) as phishing attacks continue to become more sophisticated.

However, Gartner also goes on to state that security awareness training needs to be complemented by technology investments such as Integrated Email Security Solutions (IESS) for their advanced phish detection capabilities, acknowledging that “user awareness is not 100% effective.”

Why Both Technical Controls and Training?

According to a recent survey conducted by Osterman Research, nearly 60 percent of employees were not confident in their abilities to identify a social engineering attack. But on its own, security awareness training isn’t sufficient to defend against phishing attacks.

The effectiveness of security awareness programs also vary. While they can help reduce phishing risk, organizations must make a concerted effort to continue awareness programs as phishing awareness training wears off after only a few months. Other studies indicate that while training was perceived as effective, it did not actually reduce employee susceptibility to phishing.

Yet another study, published in September in the Journal of Cybersecurity, noted that “when a user’s work context was well aligned with the phishing email premise, they were more likely to attend to compelling cues, and completely ignore or largely discount suspicious cues.”

Why Security Awareness Won’t Stop Breaches from Phishing

Organizations are often required to deploy security awareness training to meet regulatory, legal, or industry requirements. But even when organizations are required to implement training, recent cybersecurity incidents demonstrate that phishing attacks still succeed.

For example, the Health Insurance Portability & Accountability Act (HIPAA) §164.308.(a).(5).(i) requires that healthcare organizations implement a security awareness and training program for all members of their workforce. Despite this, we’ve still seen multiple successful phishing attacks in the healthcare industry over the past year. Here are just a few recent headlines:

  • Universal Health Services (UHS), one of the largest healthcare services providers in the United States and United Kingdom, was forced to temporarily shut down systems due to a ransomware attack initiated through a successful phishing attack. The ransomware in question, Ryuk ransomware, is particularly concerning for the healthcare industry as it can propagate and infect Internet of Medical Things (IoMT) devices.
  • A hospital ransomware attack led to a German woman’s death. The attack encrypted Düsseldorf University Clinic’s servers, forcing the hospital to attempt to relocate patients, resulting in the woman’s passing.
  • Imaging provider Assured Imaging was hit by an attack that exposed records of nearly 245,000 patients. The compromised electronic health record system held full names, addresses, dates of birth, patient IDs, and other medical information.
  • UCSF School of Medicine was forced to pay $1.14 million to decrypt files after suffering an opportunistic ransomware attack.

An industry that experiences up to 300 times as many cyber attacks per year as other industries, the financial services industry is also subject to meeting regulatory requirements for security training. The Gramm-Leach-Bliley Act (GLBA) specifies information security training requirements via its GLBA Safeguards Rule, 16 CFR 314.4., and yet we’ve seen multiple successful attacks against this industry in the past:

  • BancoEstado, one of Chile’s largest banks, shut down all branches after a ransomware attack infiltrated the company through a malicious phishing email. The attack originated from a malicious Microsoft Office document sent to an employee.
  • A sophisticated phishing campaign targeted Lloyds Bank, the largest retail bank in Britain. The attack attempted to steal users’ credentials and account information, and send mobile users to fraudulent sites.

So, while security awareness training helps organizations meet their regulatory and legal requirements to educate employees, it’s clear from these incidents at organizations subject to security awareness training requirements that training doesn’t stop phishing breaches.

Further, not only do phishing breaches still occur after security awareness training is implemented, but the cost of recurring training can be significant. Plus, employees often view security training, and the responsibility of taking the time to analyze and evaluate whether an email or a link seems authentic, as a hindrance to productivity.


Training can also leave a false sense of security because copyright laws restrict the use of brand logos without the brand’s permission. So spoofed test emails are easier for employees to recognize than hacker phishing emails. Hackers don’t care about copyright laws and use logos without the brand’s permission (PS: DMARC won’t catch brand spoofs either).

Lastly, business today is mainly online. Security awareness training can make employees fearful of online interactions and can be counter-productive to getting work done.

Gartner Recommends Organizations Deploy Advanced Anti-phishing Technical Controls

To best protect from phishing breaches, Gartner recommends organizations deploy advanced technical controls to block as many phishing attacks as possible, supplementing any user training or awareness programs that are already in use.

Specifically, organizations should look at advanced technical controls that “detect threats before they arrive at the user’s inbox.” Area 1 Security is honored to have been included by Gartner in the 2020 Market Guide for Email Security as an IESS with advanced capabilities including “machine-learning-based detection trained on existing emails, image analysis, account takeover detection and image recognition of URLs to identify phishing attacks.”

Get Ahead of Phishing Attacks

If your organization is struggling to get ahead of phishing attacks and even after implementing legacy defenses or user training, Area 1 Security can help immediately close that gap, in a proactive, comprehensive and accountable way. To learn which threats are bypassing your current defenses, request a complimentary Phishing Risk Assessment here.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!

 

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.

Understanding the Four Business Email Compromise Attack Types

Business Email Compromise (BEC), also sometimes referred to as email account compromise (EAC) or vendor email compromise (VEC), is a type of phishing attack that takes advantage of an existing relationship between a victim and organization.