Relying on employee awareness alone is not enough to prevent complex social engineering attacks, and certain training methods can also bring other problems.
Now is the time to seriously think about why we rely so much on end users to catch phishing scams that can harm the entire company. As hackers continue to improve their social engineering skills, phishing attacks become more and more difficult to detect, and 39% of the time is missed. Although you may think that your anti-phishing training program is up to date, as long as your business operations require email, your organization will continue to be at risk.
Because we deal with e-mail every day, despite ongoing and complex anti-phishing training, we still have a certain degree of blind trust. In many cases, hackers plan to elicit an emotional response from the target, for example, by sending urgent messages from “HR” or the CEO. These are more likely to lead to incorrect downloads or email replies, thereby harming the entire organization.
File sharing via e-mail is another essential business function that exposes organizations to major risks of non-compliance. According to Proofpoint’s “Status of Phishing Report 2021”, attachment-based attacks are becoming more and more common, and employees often cannot distinguish malicious emails from files that require collaboration, especially when remote work is so common. . Currently, the average failure rate of attachment-based attacks is 20%, which is much higher than the 12% of URL-based attacks.
Why anti-phishing training cannot be successful
If you think this is just a pandemic-related issue, please think twice as it predates COVID-19. In 2019, 68% of organizations focused on raising awareness of link-based attacks, while only 10% of organizations focused on attachment-based attacks. Sixty-five percent of the phishing tests with the highest phishing rate were attachment-based, and most emails looked like they came from recognizable internal accounts, such as supervisors or personnel in the personnel department.
It is worth noting that the personnel department is more likely to become a victim of attachment-based attacks because it is exposed to resumes and other documents from external sources every day. For example, in 2020, hackers can avoid the sandbox by sneaking malware into resumes and sick leave forms.
In addition, training can threaten employees who open emails from unreliable sources, which can cause other problems. If employees fail the test or miss dangerous emails, they will feel that they will be fired, which may cause trauma to phishing training.
Finally, the program may disappear due to insults. For example, Tribune Publishing Company (Tribune Publishing Company) sent anti-phishing training emails, hoping to get a substantial bonus, so it was strongly opposed. This is during the global pandemic, when journalists were fired and experienced pay cuts. Such incidents can cause a serious disconnect between the security team and the rest of the company. It also does not help build friendship or inspire people to learn more about safety.
It’s time to stop condemning the end user
In addition to being deceived by increasingly sophisticated, socially engineered phishing campaigns and other cyber attacks, there are many threats, user awareness training, and most security solutions are powerless. Solutions that rely on signature databases and fail to detect zero-day attacks or undisclosed threats may leave a large gap. Zero-day malware is constantly being developed and evades some of the best detection mechanisms. However, the security protection of many organizations mainly focuses on threat detection and anti-phishing training.
These solutions may give the end user a false sense of security, that is, when many threats can pass through the cracks, they will be protected no matter what protection they receive. If security solutions cannot detect these threats, then why do you want employees to be able to detect these threats? Deploying detection-based solutions and relying on user awareness training will not provide the protection that companies need.
Even if well-educated users can prevent more attacks and create a more secure online ecosystem, over-reliance on phishing training will still arise, especially considering that recent developments put existing awareness training under pressure. Once the organization moved to large-scale remote work, phishing training was removed from the priority list. Cuts in the security budget may deprive funds of more advanced and effective measures.
In short, putting all energy in the basket of cybersecurity awareness is not effective. Organizations should shift more resources to preventive solutions rooted in data and technology, which have a better chance of adapting to the ever-changing threat landscape, and don’t take responsible employees at heart.