Risk
11/4/2013
03:27 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

ThreatSim's State Of The Phish Finds Most Organizations Do Not Recognize Phishing As A True Threat

The key finding: most organizations (57%) rate phishing as a 'minimal' impact threat

HERNDON, VA--(Marketwired - Nov 4, 2013) - ThreatSim, the leading innovator of simulated phishing training and awareness solutions, today announced key findings for its 2013 State of the Phish awareness index, gauging phishing training, awareness and readiness among 300 IT executives, administrators and professionals in organizations throughout the United States.

The key finding: most organizations (57%) rate phishing as a 'minimal' impact threat (resulting in investigation and account resets), while one in four respondents (27%) reported phishing attacks that led to a 'material' breach within the last year. The survey defined 'material' as some form of malware infection, unauthorized access and lost/stolen data from a breach tied to phishing.

"While material impacts from phishing attacks can cause more damage and headlines, our customers report the cumulative effects from 'minimal' impact events are daily challenges," said ThreatSim CEO Jeff LoSapio. "There is a 'nuisance factor' in which investigations are launched, accounts reset, and staff are unable to work as their laptop is cleaned. The opportunity cost is huge especially for medium size companies where up to 50% of time in a week can be spent handling these 'minimal' impact fire drills. Reducing end user susceptibility to phishing attacks has a direct impact on reducing IT cost and increasing the security team's productivity."

The weekly headlines show that phishing continues to be one of the most active, growing and consistent threat vectors, and State of the Phish findings show most organizations are still not proactive or taking an effective stance to train end users on how not to get phished. The majority (69%) are using ineffective techniques including email notifications, webinars, and in person training.

While sixty percent (60%) of all respondents reported phishing attacks targeting their organization were increasing each year, only 10% are using phishing simulation to train their users, a technique that has proven to reduce users' click rates by up to 80%.

Other key findings from the index include:

· 30% of all respondents plan to increase budget for security training and awareness in 2014.

· 60% of all respondents see the rate of phishing increasing each year.

· 70% of all respondents reported not measuring their organization's exposure to phishing.

· Out-of-date 3rd party software on desktops should be viewed as another critical threat vector. The index found 44% of all respondents are not formally managing 3rd party software, representing a weakness in organizational ability to prevent damage associated with phishing attacks.

"Phishing simulation is proven to be the most effective means to educate end users and reduce susceptibility to phishing attacks," LoSapio said. "While budgets are increasing for thirty percent of all respondents, sadly fewer than ten percent are using this successful technique."

State of the Phish surveys were completed double blind and transmitted electronically via a third-party survey service between Sept. 26 and Oct. 4, 2013. To download the complete key findings and methodology report, including a special report featuring ThreatSim consolidated customer trending data during 2013, visit http://threatsim.com/resources/2013-state-of-the-phish/.

ThreatSim customers, including a top 10 mutual fund firm, a top three U.S. utility and one of the largest government defense contractors, have achieved up to an 80% reduction in the rate of employees who click on phishing e-mail messages. Available in 11 languages and country themes, ThreatSim simulations are extremely realistic, coupled with effective training content that equips employees with the skills to identify and avoid phishing attacks. ThreatSim is a secure hosted Software-as-a-Service that requires no installation or configuration.

About ThreatSim

ThreatSim is the leading innovator of simulated phishing defense training and awareness solutions. Headquartered in Herndon, Va., outside Washington, D.C., ThreatSim delivers highly-scalable, feature-rich, SaaS-based phishing and advanced threat training campaigns that measurably lower organizational risk exposure. ThreatSim customers include large commercial enterprises, SMBs, government organizations and academic institutions. Request a demo, visit www.threatsim.com and follow @ThreatSim.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7484
Published: 2014-10-20
The Coca-Cola FM Guatemala (aka com.enyetech.radio.coca_cola.fm_gu) application 2.0.41725 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7485
Published: 2014-10-20
The Not Lost Just Somewhere Else (aka it.tinytap.attsa.notlost) application 1.6.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7486
Published: 2014-10-20
The Mitsubishi Road Assist (aka com.agero.mitsubishi) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7487
Published: 2014-10-20
The ADT Aesthetic Dentistry Today (aka com.magazinecloner.aestheticdentistry) application @7F080181 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7488
Published: 2014-10-20
The Vineyard All In (aka com.wVineyardAllIn) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.