Why anti-phishing training is not enough
It’s time for us to take a close look at why we rely so heavily on end users to spot phishing scams that can put an entire business at risk. As hackers continue to advance their social engineering techniques, phishing attacks become harder to detect and are missed. 39% of the time. Even though you may think your anti-phishing training program is up to date, your organization will continue to be exposed for as long as email is needed for business operations.
Because we all interact with email on a daily basis, we have a blind degree of trust despite ongoing and sophisticated anti-phishing training. On numerous occasions, hackers attempt to elicit emotional responses from their target, for example by sending urgent messages “from” human resources or the CEO. These are more likely to result in inappropriate downloads or email responses that can damage the entire organization.
File sharing Email is another necessary business function that puts the organization at significant risk of breach. According to Proofpoint “2021 State of Phishing Report“Attachment-based attacks are becoming more common and employees often cannot differentiate malicious emails from those containing files they need to collaborate, especially when remote working is so common. Currently, the average failure rate for attachment-based attacks is 20%, much higher than for URL-based attacks at 12%.
Why anti-phishing training is not successful
If you think this is just a pandemic-related issue, think again, as it predates COVID-19. In 2019, 68% of organizations focused on raising awareness of link-based attacks, compared to just 10% of organizations that focused on attachment-based attacks. And 65% of the phishing tests with the highest failure rates were attachment-based, with most emails appearing to be from a recognizable internal account, such as a supervisor or someone in HR.
Notably, the HR department is at increased risk of falling victim to an attachment-based attack due to resumes and other files from outside sources with which they engage on a daily basis. For example, in 2020, hackers were able to avoid a sandbox by inserting malware into resumes and medical leave forms.
Additionally, training that can put a strain on employees who open an email from an untrusted source creates additional problems. Giving employees the impression that they are going to be fired if they fail a test or miss a dangerous email can create trauma during phishing training.
Finally, the programs can also appear insulting. For example, the Tribune Publishing Company has received negative feedback after sending anti-phishing training emails promising big bonuses – amid a global pandemic as journalists were laid off and faced pay cuts. Such incidents can cause serious disconnections between the security team and the rest of the organization. It also doesn’t help create a sense of camaraderie or motivate people to learn more about safety.
It’s time to stop blaming end users
Beyond users being duped by increasingly sophisticated – and socially designed – phishing campaigns and other cyber exploits, there is a plethora of threats against which user awareness training – and most of the security solutions – can not do anything against. Solutions that rely on signature databases and cannot detect zero-day exploits or undisclosed threats can leave significant gaps. Zero-day malware is constantly being developed and eludes some of the best detection mechanisms. Yet the security defenses of many organizations largely focus on threat detection as well as anti-phishing training.
These solutions can give end users a false sense of security that they are protected no matter what, when many threats can slip through the cracks. If a security solution can’t detect these threats, why would you want employees to be able to detect them? Deploying detection-based solutions and employing user awareness training will not provide the protection businesses need.
Even if better-trained users could stop more attacks and create more secure cyber ecosystems, over-reliance on phishing training will be insufficient, especially given recent developments that strain awareness training. in place. Once organizations shifted to large-scale remote working, phishing training moved down the list of priorities. And cuts in security budgets threaten to withdraw funding for more advanced and effective measures.
Put simply, putting all your eggs in the cybersecurity awareness basket is ineffective. Organizations should devote more resources to prevention solutions rooted in data and technology, which have a much better chance of keeping up with the rapidly changing threat landscape and do not place the blame on well-meaning employees.
Aviv Grafi is CEO and Founder of Votiro, an award-winning cybersecurity company specializing in neutralizing files of all kinds using Secure File Gateway solutions. Aviv is the lead software architect for Votiro’s enterprise solution, which is based on a unique positive approach … See full bio