It takes only a matter of seconds for an individual to send an email that may lead to a multi-million dollar breach. Even more concerning, in most cases, the responsible party doesn’t even realize the error.
How can this scenario be prevented? One component to overcoming this challenge lies in educating employees on the dangers of social engineering – the use of deception to manipulate individuals into sharing confidential or personal information for fraudulent purposes – and instructing them about detection methods.
A Changing Cybersecurity Landscape
If one click can compromise an entire organization’s sensitive data and systems, then not even an organization that has invested millions of dollars in IT and security infrastructure is immune to attack.
That is the reality of today’s cybersecurity landscape. One of the biggest challenges today is end-user-focused social engineering attacks.
Social Engineering Attacks
Social engineering as a method of attack is not a new concept. Individuals and hackers have been using these people-focused deception techniques for decades to manipulate targets and extract sensitive information.
However, the adoption and usage of social engineering as a primary method of cyber attacks has dramatically risen in the past five to seven years. As more organizations developed an online presence, fully integrated their email and network access, and expanded their digital footprint, the use of social engineering has come to represent one of the easiest and most successful exploit methods for an attacker.
It is important to note that many cyber attackers are part of a group or organization run as a for-profit business. Just like a board or executive suite, attackers are focused on key metrics such as the bottom line and achieving a high return on investment.
Rather than spending hours, days, or weeks attempting to penetrate your security infrastructure with sophisticated attacks and advanced persistent threats, today attackers see a higher ROI and success rate through widespread phishing email attacks. In a matter of hours, the attacker can develop a customized email attack that will be distributed to hundreds or thousands of addresses. One single click is all it takes to fall victim and for the attacker to capitalize.
When you consider the number of employees in your organization, and the number of emails each employee receives on a daily basis; the expansiveness and diversity of the “attack surface” (the end users) is a gold mine. In combination with end users having elevated credentials and weak passwords, an attack is probable.
Attack Prevention Through Education
What can you do? Combining real phishing exercises with in-the-moment feedback and training is the best way to educate and improve your end users’ security awareness.
While many organizations implement an annual security training module, educating end users requires ongoing efforts. The consistent efforts should encompass content specific training, focused on the types of social engineering and ransomware attacks being delivered today.
Organizations who implement an internal phishing education program have seen dramatic results in improving their end users’ awareness and ability to detect phishing attempts. Effective programs deliver phishing emails to internal resources and monitor which users open the email, click on the link, download the attachment, and authenticate to the fake website. With each failure, targeted training can be delivered to the end user to help them identify what went wrong, and provide meaningful examples of how to improve.
Clients who have adopted the exercise and training program have seen a dramatic improvement to end user’s performance. Results have shown that upon undergoing exercises for a few months, the percentage of failures (employees who click on the link) decreased from an initial 50-60% in their first campaign, to under three percent.
For more information and help with implementing a campaign of your own, contact our cybersecurity team.