Phishing attacks continue to plague businesses around the world with great success, but why?
Cyber criminals target the human element of organizations. In addition, they develop techniques to use an organization’s employees as a first point of entry. According to the Verizon DBIR 2021 report, phishing was the main vector for over 80% of the 3,841 security breaches reported using social engineering. According to the Proof Point State of the Phish 2021 report, 66% of companies had targeted phishing attempts in 2020, showing that no company is immune to phishing attacks. For example, SANS Institute, a provider of cybersecurity training and certification services, lost over 28,000 personally identifiable information (PII) in a data breach that occurred after an employee fell victim to a phishing attack. We share these stats to highlight the business value of the Social-Engineer Phishing Service (SEPS). The goal of this service is to train your employees to become your company’s first line of defense
Phishing attacks – sophisticated and targeted
Gone are the days when phishing emails consisted of broken English and poor grammar. Or a simple “click now” to win these outrageous price offers. In fact, skilled phishers these days send sophisticated emails that appear to have come from a legitimate source. For example, the most effective phishing emails are now being sent from a “colleague”, a specific department such as HR, or a third-party provider. They use everything from an organization’s logo and layout to internal language. Targeted spear phishing attacks pursue the personal interests of a specific person. These days phishing emails are so good that they instantly instill credibility and users don’t think twice before acting. One of our customers told us how he was fooled by the attackers sending email from their own domain! Until then it will be too late.
Train the way you fight because you will fight the way you trained
It is time for companies to break away from martial arts training for security breaches. By making an effort to train their employees, they equip their employees with the skills to protect the company’s intangible assets.
In martial arts, sparring is a mechanism to test techniques learned in the studio. A martial artist can master a technique while standing still. But you will find the technique much more difficult to perform when faced with a moving opponent. When a person experiences a real attack, they switch to fight or flight mode. Someone who has mastered martial arts but has never executed against a determined assailant may find these skills difficult to apply in the heat of the moment. This can be compared to a well-designed phishing email. An employee may know better. But what will the employee do when they receive an authentic looking email from an internal source confirming the submission of false information? The person’s first reaction may be to respond and provide the “correct” data.
In sparring, some techniques work well against tall people. However, the same techniques are not as effective when fighting a compact and sturdy individual. Martial artists need to learn to adapt constantly. Sparring enables martial artists to become confident with techniques they have learned. In addition, it gives them the opportunity to grow from actual mistakes. An organization can emphasize the importance of security. However, unless employees are exposed to a credible vector of attack, they will not learn how to respond appropriately.
The Social-Engineer Phishing Service (SEPS) helps companies fight sophisticated, targeted threats
Military experts train their soldiers to fight in the worst case. Likewise, companies should train their employees to identify social engineering attacks in order to improve general security. The concept of phishing one’s own employees has been around for years. However, the concept of a bespoke and continuous phishing service is unique.
From start to finish, Social Engineer helps turn an organization’s most unpredictable asset (its employees) into the first line of defense. If an employee understands the value of reporting suspicious activity to their internal security department, they will likely respond to real-world scenarios in the same way. Rather than just training employees to look for suspicious activity, the social engineering team teaches users to think critically, to identify and properly report and act on phishing emails. It is important that employees understand the assets they are responsible for protecting and how they can better protect them. Security starts with every single user.
By sending out an initial wave of well-designed phishing emails, social engineer creates a foundation for a company’s vulnerability to this type of attack. From there, our team conducts a thorough debriefing that focuses on remediation and clarification. We are repeating this process with increasingly sophisticated phishing education. By running ongoing and regular phishing campaigns, organizations can quickly develop a culture of phishing awareness and education. Our service can also provide advanced metrics such as click and reporting rates, repeat offenders, and trending data to identify specific areas of improvement and ultimately ROI.
Protect your company with the phishing service from Social-Engineer
When it comes down to it, employees who know they are being tested are more inclined to report questionable emails and activity and respond appropriately. By keeping their employees on their toes, companies significantly improve their overall security situation. Organizations that have implemented our SEPS program have had the following experiences:
- increased positive dialogue between employees and IT teams;
- a dramatic decrease in known malware incidents and malware infection rates (one customer saw a 70% decrease);
- decreased frequency of computer re-imaging;
- a reduction in drive-by downloads and adware; and
- less disruption to the corporate network.
The results are real, but don’t just take our word for it
The graphic below shows data from one of our customers who implemented SEPS. Before working with Social-Engineer, this organization ran a phishing training program itself using a popular phishing tool. They regularly sent out emails and tested their entire population. On the surface, everything was what a phishing program should be. However, despite its best efforts, the organization simply did not achieve the results it expected. After a year of wandering it alone, they contacted social engineers to offer help in improving their program. After 6 months in the SEPS program, the organization continued to deliver tremendous results.
The graphic below shows the tremendous business value of the social engineer phishing service after just a month. Most noticeably, there was an increase in suspicious email detection across the population.
What were the results?
Catch more than 370% more phishing emails
Organizations spend hundreds of thousands on IDS systems, firewalls, and other protections to monitor the network, but a clever phishing attack can lead to total destruction without the attacker having to hack anything. It depends when, not if, your organization is targeted. Implementing a well-managed phishing and training program is a cost-effective mechanism to prepare your employees for real-world situations and to keep your company out of the headlines. The business value of the social engineer phishing service is well worth investigating. Further information can be found at https://www.social-engineer.com/services/se-phishing-service/.
swell
https://www.verizon.com/business/resources/reports/dbir/?cmp=knc:ggl:ac:ent:security:8003162844&utm_term=dbir&utm_medium=knc&utm_source=ggl&utm_campaign=security&utm_content=security&utm_content=ac:ent:800316ter044 -uRWVS0ZJLB7uPLOnA3ZjyFqftaeF1VKmi0aAhCREALw_wcB & gclsrc = aw.ds
https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-state-of-the-phish-2021.pdf
https://www.securitymagazine.com/articles/93073-sans-institute-suffers-data-breach-due-to-phishing-attack
*** This is a syndicated blog from the Security Bloggers Network of Social-Engineer, LLC. written by social engineer. Read the original article at: https://www.social-engineer.com/business-value-phishing-service/
source https://collegeeducationnewsllc.com/the-business-value-of-the-social-engineer-phishing-service/
No comments:
Post a Comment