Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/18/2021
01:00 PM
Aviv Grafi
Aviv Grafi
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Anti-Phishing Training Isn't Enough

Not only is relying on employees' awareness insufficient to prevent sophisticated social engineering attacks, some training methods can create other problems.

It's time we take a hard look at why we rely so much on end users to catch phishing scams that can jeopardize an entire company. As hackers continue to advance their social engineering techniques, phishing attacks are becoming harder to detect and are missed 39% of the time. While you might think your anti-phishing training program is up to date, your organization will continue to be at risk as long as email is necessary for business operations.

Because we all engage with email daily, we have a degree of blind trust despite continuous, sophisticated anti-phishing training. On many occasions, hackers scheme to elicit emotional responses from their target — for example, by sending urgent messages "from" human resources or the CEO. These are more likely to result in improper downloads or email responses that can damage the entire organization.

Related Content:

5 Ways Social Engineers Crack Into Human Beings

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Move Beyond Passwords and Basic MFA

File sharing over email is another necessary business function that puts the organization at significant risk for a breach. According to Proofpoint's "2021 State of the Phish Report," attachment-based attacks are becoming more common, and employees often cannot differentiate malicious emails from those with files they need to collaborate, especially when remote work is so common. Currently, the average failure rate in attachment-based attacks is 20%, far higher than for URL-based attacks, at 12%.

Why Anti-Phishing Training Isn't Succeeding
If you think this is solely a pandemic-related problem, think again, as it predates COVID-19. In 2019, 68% of organizations focused on raising awareness of link-based attacks compared with just 10% of organizations that put their efforts on attachment-based attacks. And 65% of the phishing tests with the highest failure rates were attachment-based, with most emails looking like they came from a recognizable internal account such as a supervisor or someone from the HR department. 

Notably, the HR department is at increased risk for falling victim to an attachment-based attack because of the resumes and other files from outside sources it engages with daily. For example, in 2020, hackers were able to avoid a sandbox by sneaking malware inside resumes and medical leave forms

Additionally, training that threatens to come down hard on employees who open an email from an untrustworthy source creates additional problems. Making employees feel like they are going to be fired if they fail a test or miss a dangerous email can create phishing training trauma.

Finally, programs can also come off as insulting. As an example, the Tribune Publishing Company received some backlash after it sent anti-phishing training emails promising significant bonuses — in the middle of a global pandemic when journalists were being laid off and experiencing salary cuts. Incidents like this can cause severe disconnections between the security team and the rest of the company. It also does nothing to build a sense of camaraderie or motivate people to learn more about security. 

It's Time to Stop Blaming End Users
Beyond users being tricked by increasingly sophisticated — and socially engineered — phishing campaigns along with other cyber exploits, there are a plethora of threats that user awareness training — and most security solutions — can do nothing about. Solutions that rely on signature databases and cannot detect zero-day exploits or undisclosed threats may leave significant gaps. Zero-day malware is constantly being developed and evades some of the best detection mechanisms. Yet many organizations' security defenses focus largely on threat detection along with anti-phishing training.

These solutions may give end users a false sense of security that they are protected no matter what, when many threats can slip through the cracks. If a security solution cannot detect these threats, then why would you expect employees to be able to detect them? Deploying detection-based solutions and relying on user awareness training will not provide the protection that enterprises need.

Even if better-educated users could stop more attacks and create safer cyber ecosystems, overreliance on phishing training will come up short — especially given recent developments that are putting a strain on the awareness training in place. Once organizations shifted to large-scale remote work, phishing training moved down the list of priorities. And cuts to security budgets threaten to take funding away from more advanced and effective measures.

To put it simply, putting all your eggs in the cybersecurity-awareness basket is ineffective. Organizations should divert more resources to prevention solutions rooted in data and technology, which stand a much better chance of keeping up with the fast-changing threat landscape and don't put the onus on well-intentioned employees.

Aviv Grafi is CEO & Founder of Votiro, an award-winning cybersecurity company specializing in neutralizing files of all kinds through Secure File Gateway solutions. Aviv is principal software architect for Votiro's enterprise solution, which is based on a unique Positive ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
CVE-2021-32553
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.