15 Dec Phishing Training is Important. It is Not a Panacea.
Reducing the attack surface is top priority
New York City, N.Y. – Dec. 15, 2021
Phishing training is essential. It is a vital part of every organization’s defensive posture. When automated systems fail, the end user might be the very last line of defense. IF they are not trained, that layer becomes ineffective.
Humans are imperfect on the best of days. When reading a hundred emails in the middle of a stressful workday, even the most well-trained and observant employee will click on a malicious email. As early as 2018, Microsoft pointed this out, saying that, “…phishing and other social engineering tactics can be more simple and effective than other methods and they work most of the time for more human beings.”
Consider: One study found that phishing awareness programs wear off, and that training needs to happen every six months. Think about it: If your organization had done a large-scale phishing training campaign in January 2020, it would have been helpless against COVID-related threats.
Now, new data shows just how many users will click on a phishing email. In a new simulation from Terranova’s annual Gone Phishing Tournament, 19.8 percent of end users who received a phishing email clicked on the phishing link. Further, 14.4 percent of all users failed to recognize that the resulting webpage wasn’t legitimate and proceeded to download a malicious file.
Cybercrime TV: Gil Friedrich, Founder & CEO at Avanan
Protecting Office 365 inboxes from phishing attacks
Phishing training will help. But when nearly 20 percent of end users click on phishing links, trouble is afoot.
That’s why it’s never been more critical to block malicious emails and files from reaching the inbox in the first place, using AI and ML. In the same way that self-driving cars can augment the inattentive driver, individualized systems can perform all the same analysis that an intelligent human might perform after years of training, but do so repeatedly, patiently, and quickly for every single message.
Two data points stand out. According to research, on average, it takes some solutions three minutes and three seconds to remediate and remove a malicious email from the inbox. Depending on the environment, that number can skyrocket even higher. Further, research has shown that it takes, on average, 82 seconds for a user to click on a phishing attack.
This means that a large portion of your user base will click on a phishing link before it is removed. It becomes a race condition, and the organization is likely the loser.
Like all good security programs, it starts with layers or defense-in-depth. An automated layer at the start that blocks most, if not all, malicious emails from reaching the inbox is essential. Training then can take care of the rest. Emails reported by end users can then be fed back into the AI and ML, in a constant feedback loop to better improve the security.
Sometimes, cybersecurity wisdom can come from the most unexpected places. In the movie Karate Kid, Mr. Miyagi attempts to try to catch a fly using chopsticks. While certainly a great challenge, it’s not the most effective approach and it will certainly never scale once someone leaves the door open. When it comes to the phishing threat, many organizations are opting for Mr. Miyagi’s approach. Rather than shutting the door, adding new screens, etc., many are opting to first train the masses and catch a fly with chopsticks.
Just to be clear: end-user phishing training is absolutely 100 percent critical. Implementing response tools and processes for the SOC is absolutely 100 percent critical. But don’t mistake these capabilities as mass protections. There are exception handlers to account for phishing emails that slip past your security defenses and into your user’s inboxes. When you first reduce the attack surface through the implementation of advanced security, you make it much easier to design and implement an end-user training program to deal with the exceptions.
– Gil Friedrich is co-founder and CEO at Avanan.
Avanan is a cloud email security platform that pioneered and patented a new approach to prevent sophisticated attacks. We use APIs to scan for phishing, malware, and data leakage in the line of communications traffic. This means we catch threats missed by Microsoft while adding a transparent layer of security for the entire suite and other collaboration tools like Slack.
Avanan catches the advanced attacks that evade default and advanced security tools. Its invisible, multi-layer security enables full-suite protection for cloud collaboration solutions such as Office 365™, G-Suite™, and Slack™. The platform deploys in one click via API to prevent Business Email Compromise and block phishing, malware, data leakage, account takeover, and shadow IT across the enterprise. Avanan replaces the need for multiple tools to secure the entire cloud collaboration suite, with a patented solution that goes far beyond any other Cloud Email Security Supplement.