• Product
    • Overview
    • Why Area 1
      • Customer Reviews
      • Case Studies
    • Technology
    • Pricing
    • Free Trial
  • Solutions
    • Phishing Attacks
    • Business Email Compromise
    • Cloud Email Security
      • Office 365
      • Gmail
    • Autonomous Phish SOC
    • COVID-19 Phishing
    • Election Security
  • Partners
    • Find a Technology Partner
    • Find a Channel Partners
    • Become a Partner
  • Resources
    • Resources
    • Blog
    • Events | Webinars
    • Newsletter
    • Phishing Glossary
  • Company
    • About
    • Trust Center
    • News
    • Careers
    • Contact
  • Search
Area 1

Request a FREE Demo Today!

  • KEY USE CASES

    Area 1’s cloud-native SaaS solution supports three key use cases: preemptive anti-phishing across all threat vectors (email, web, social, network); cloud email security / SEG replacement; and phishing security automation for SOC teams.

    Learn More
    Area 1

    Request a FREE Demo Today!

  • THE CHALLENGE

    SEGs, cloud email and DMARC struggle against the most sophisticated phishing attacks. Area 1 is the only company that preemptively blocks Type 1-3 BEC phishing, and other highly targeted attacks.

    Learn More

    PHISH OF THE WEEK

    This much should be clear by now – we at Area 1 absolutely detest phish! But in some weird karmic way, we exist because phish exist…and we exist to quell each and every one of the attacks hitting our customers.

    Well, it just got a lot harder on those pesky creatures, and a lot better for our current — and future — customers.

    View Now
    Area 1

    Request a FREE Demo Today!

  • FIND A TECHNOLOGY PARTNER

    Area 1 is a Microsoft Certified Partner and a Google Cloud Security Technology Partner of the Year. We also integrate with a number of SIEM, SOAR, SEG and firewall technology providers to fit your unique infrastructure.

    Learn More

    FIND A CHANNEL PARTNER

    Work with trusted cybersecurity experts across the globe to secure your business. Learn about our partnerships with Legato Security, Optiv, SADA Systems, SYNNEX and others.

    Learn More
  • NEW ON THE BLOG

    A rapidly evolving phishing campaign is on the loose.

    Read Blog

    UPCOMING WEBINAR

    How did one million phishing emails bypassed Office 365 defenses?

    Register Here
  • WHO WE ARE

    At Area 1 Security, We Stop Phish. We’re accountable to you: that means we believe you should pay only to cybersecurity company that works. If it doesn’t protect you, why invest in it?

    Learn More

    IN THE NEWS

    Read Here

    Need to Contact Us?

    We’re here to help

    Area 1
Area 1 Security
  • Product
    • OVERVIEW
      • Why Area 1
        • WHY AREA 1
          • Customer Reviews
          • Case Studies
      • Technology
      • Pricing
      • Free Trial
  • Solutions
    • SOLUTIONS
      • Phishing Attacks
      • Business Email Compromise
      • Cloud Email Security
        • CLOUD EMAIL SECURITY
          • Office 365
          • Gmail
      • COVID-19 Phishing
      • Autonomous Phish SOC
      • Election Security
  • Partners
  • Resources
    • RESOURCES
      • Blog
      • Resource Library
      • Newsletter
      • Events | Webinars
      • Phishing Glossary
  • Company
    • COMPANY
      • About
      • Trust Center
      • News
      • Careers
      • Contact
  • Search
  • Try Area 1

Phishing Education & Awareness Training

Elaine Dzuba October 1, 2020

Some things just go together: Bacon and eggs, peanut butter and jelly, Batman and Robin … anti-phishing technology and security awareness training.

Phishing attacks continue to be the root cause of 95 percent of cyber breaches (a fact we hope you won’t forget amongst all the other things you’ll see/hear/read during Cyber Security Awareness Month). And in its latest 2020 Market Guide for Email Security (ID: G00722358) Gartner continues to recommend anti-phishing behavioral conditioning (aka security awareness training) as phishing attacks continue to become more sophisticated.

However, Gartner also goes on to state that security awareness training needs to be complemented by technology investments such as Integrated Email Security Solutions (IESS) for their advanced phish detection capabilities, acknowledging that “user awareness is not 100% effective.”

Why Both Technical Controls and Training?

According to a recent survey conducted by Osterman Research, nearly 60 percent of employees were not confident in their abilities to identify a social engineering attack. But on its own, security awareness training isn’t sufficient to defend against phishing attacks.

The effectiveness of security awareness programs also vary. While they can help reduce phishing risk, organizations must make a concerted effort to continue awareness programs as phishing awareness training wears off after only a few months. Other studies indicate that while training was perceived as effective, it did not actually reduce employee susceptibility to phishing.

Yet another study, published in September in the Journal of Cybersecurity, noted that “when a user’s work context was well aligned with the phishing email premise, they were more likely to attend to compelling cues, and completely ignore or largely discount suspicious cues.”

Diagram_Phishing Education & Awareness Training

Why Security Awareness Won’t Stop Breaches from Phishing

Organizations are often required to deploy security awareness training to meet regulatory, legal, or industry requirements. But even when organizations are required to implement training, recent cybersecurity incidents demonstrate that phishing attacks still succeed.

For example, the Health Insurance Portability & Accountability Act (HIPAA) §164.308.(a).(5).(i) requires that healthcare organizations implement a security awareness and training program for all members of their workforce. Despite this, we’ve still seen multiple successful phishing attacks in the healthcare industry over the past year. Here are just a few recent headlines:

  • Universal Health Services (UHS), one of the largest healthcare services providers in the United States and United Kingdom, was forced to temporarily shut down systems due to a ransomware attack initiated through a successful phishing attack. The ransomware in question, Ryuk ransomware, is particularly concerning for the healthcare industry as it can propagate and infect Internet of Medical Things (IoMT) devices.
  • A hospital ransomware attack led to a German woman’s death. The attack encrypted Düsseldorf University Clinic’s servers, forcing the hospital to attempt to relocate patients, resulting in the woman’s passing.
  • Imaging provider Assured Imaging was hit by an attack that exposed records of nearly 245,000 patients. The compromised electronic health record system held full names, addresses, dates of birth, patient IDs, and other medical information.
  • UCSF School of Medicine was forced to pay $1.14 million to decrypt files after suffering an opportunistic ransomware attack.

An industry that experiences up to 300 times as many cyber attacks per year as other industries, the financial services industry is also subject to meeting regulatory requirements for security training. The Gramm-Leach-Bliley Act (GLBA) specifies information security training requirements via its GLBA Safeguards Rule, 16 CFR 314.4., and yet we’ve seen multiple successful attacks against this industry in the past:

  • BancoEstado, one of Chile’s largest banks, shut down all branches after a ransomware attack infiltrated the company through a malicious phishing email. The attack originated from a malicious Microsoft Office document sent to an employee.
  • A sophisticated phishing campaign targeted Lloyds Bank, the largest retail bank in Britain. The attack attempted to steal users’ credentials and account information, and send mobile users to fraudulent sites.

So, while security awareness training helps organizations meet their regulatory and legal requirements to educate employees, it’s clear from these incidents at organizations subject to security awareness training requirements that training doesn’t stop phishing breaches.

Further, not only do phishing breaches still occur after security awareness training is implemented, but the cost of recurring training can be significant. Plus, employees often view security training, and the responsibility of taking the time to analyze and evaluate whether an email or a link seems authentic, as a hindrance to productivity.



Training can also leave a false sense of security because copyright laws restrict the use of brand logos without the brand’s permission. So spoofed test emails are easier for employees to recognize than hacker phishing emails. Hackers don’t care about copyright laws and use logos without the brand’s permission (PS: DMARC won’t catch brand spoofs either).

Lastly, business today is mainly online. Security awareness training can make employees fearful of online interactions and can be counter-productive to getting work done.

Gartner Recommends Organizations Deploy Advanced Anti-phishing Technical Controls

To best protect from phishing breaches, Gartner recommends organizations deploy advanced technical controls to block as many phishing attacks as possible, supplementing any user training or awareness programs that are already in use.

Specifically, organizations should look at advanced technical controls that “detect threats before they arrive at the user’s inbox.” Area 1 Security is honored to have been included by Gartner in the 2020 Market Guide for Email Security as an IESS with advanced capabilities including “machine-learning-based detection trained on existing emails, image analysis, account takeover detection and image recognition of URLs to identify phishing attacks.”

Get Ahead of Phishing Attacks

If your organization is struggling to get ahead of phishing attacks and even after implementing legacy defenses or user training, Area 1 Security can help immediately close that gap, in a proactive, comprehensive and accountable way. To learn which threats are bypassing your current defenses, request a complimentary Phishing Risk Assessment here.

Want to keep up to date with the latest phishing trends?

Subscribe to our newsletter here!


Subscribe
>

Some things just go together: Bacon and eggs, peanut butter and jelly, Batman and Robin … anti-phishing technology and security awareness training.

  • anti-phishing
  • Gartner
  • phishing education
  • security awareness training
Related Blogs
 

Blog

“Face Mask Manufacturer” Supplies Agent Tesla Malware

It’s no surprise that the world is currently facing a major shortage of the now-iconic blue surgical mask. Once only …

 

Blog

Your Summer Bonus!?

Microsoft SharePoint Phishing schemes have increasingly plagued companies using the Microsoft Office 365 Suite in recent years.”

 

Blog

Beyond Email Gateways and Email Authentication: How to Stop Financial Phishing Attacks 

Ingenious new attack patterns related to COVID-19 financially exploit individuals and businesses. A new SecurityWeek webinar explains how these scams …

View More Blogs >
Detect. Disrupt. Defeat.

No-Phishing Zone

Schedule A Demo
Area 1 Security

[email protected]

Sales 650.381.1647

142 Stambaugh Street
Redwood City, CA 94063

Partners
  • Product
  • Overview
  • Why Area 1
  • Technology
  • Demo Request
  • Solutions
  • Resources
  • Company
  • About
  • News
  • Events
  • Careers
  • Contact Us
  • Blog
Area 1 Security
  • Product
  • Overview
  • Why Area 1
  • Technology
  • Demo Request
  • Solutions
  • Resources
  • Company
  • About
  • News
  • Events
  • Careers
  • Contact Us
  • Blog

[email protected]

Sales 650.381.1647

142 Stambaugh Street
Redwood City, CA 94063

Partners
© 2021 Area 1 Security
  • Trust Center
  • Privacy