It's no wonder we had hundreds of information security professionals attend the SecureWorld web conference this week, "State of the Phish Report 2018: What Your Peers Are Doing to Reduce Successful Phishing Attacks."
Just look at the live poll results from attendees. Phishing is still a growing problem.
With these trends in mind, have you had trouble getting executives to approve or fund a phishing awareness program? Or perhaps to keep it going?
If so, Sandy Bacik, Sr. Compliance and Cybersecurity Auditor at CipherTechs, says you may need to re-frame things. "User awareness is not about tricking people, it is about limiting risk to the business. If you focus on business benefit, they will at least listen."
She shared these tips for justifying a phishing program to management:
The web conference kicked off with fantastic (and frightening) insights from the industry standard on phishing: Wombat's annual State of the Phish Report.
According to more than 10,000 responses from quarterly surveys of InfoSec professionals, the impact from phishing continues to be significant.
Also, here are the categories of simulated phishing attacks employees are falling for, which is an important detail:
Why are these numbers significant? Amy Baker, Vice President of Marketing at Wombat Security, says they paint a picture of what your employees are doing on your network.
"One thing that is clear from these statistics. People are using their business accounts for both business and personal reasons," she says.
And about your endpoints: it's not just your employees using them. One question from the State of the Phish report asked "What personal activities do you allow family members or trusted friends to perform on your corporate device?"
So even if your employees practice good corporate hygiene, those friends and relatives using your corporate devices may not.
John Kveragas, Jr. is Chief Audit Executive at Zenbanx, and he shared insights on Business Email Compromise (BEC), something he says can often be mis-understood by employees.
"BEC is a form of phishing, it's really spear-phising combined with email spoofing or impersonation, and something we're likely to see more of in 2018."
He says spear-phishing can take hackers about 15 minutes to launch, as they scan employee or executive leadership profiles on social media. Many of them do not make their personal accounts completely private, so anyone might see their most recent photos of them, like when they're on vacation.
An example, he says, might be an email like this, for a CFO or CEO on vacation in Europe: "Hey Sally, we're having fun on vacation, Europe is great. Just got notice that we need to transfer $500,000 to secure our new office space, so please make the transfer with this link and email me back once you have done it. Thank you."
So how do you defend against spear-phishing? Here are some strategies he shared.
"You are a target for these crimes," Kveragas, Jr. says. "Phishing is not an IT problem, it is a business problem." And the target, over and over: the end user at your company.
All the more reason to watch the web conference on-demand: "State of the Phish Report 2018: What Your Peers Are Doing to Reduce Successful Phishing Attacks."
During the phishing web conference you will gain far more context, see program specifics, and learn about popular consequences for employees with repeated bad security behavior.
You will also have access to Wombat's complete "State of the Phish 2018" report and supporting documents to help you justify or renew your phishing program.