Phishing People: How Educating Employees Can Halt a Successful Cyberattack 

Emile Abou Saleh, Regional Director, Middle East & Africa at Proofpoint
Emile Abou Saleh, Regional Director, Middle East & Africa at Proofpoint
5 years ago

A strong cybersecurity posture is multifaceted. As new threats are born and others evolve, companies must keep adding to their arsenal to ensure their defences are up to the task. However, there is one line of defence that is often overlooked: people.

The cybersecurity knowledge and understanding of the employees in an organisation is just as important as any policy or control that is put in place. The end user is often the first point of attack. The more they understand about how their behaviour can affect the security of the business, the stronger an organisation’s cybersecurity posture.

Unfortunately, as uncovered in Proofpoint’s 2019 Beyond the Phish report, a sufficient level of cybersecurity knowledge is not always present. The report analysed data from almost 130 million questions, answered by employees across 16 industries on a range of topics including phishing, data protection, ransomware and social media safety.

Across all topics and industries, 22% of questions were answered incorrectly, suggesting around one in five end users has gaps in their cybersecurity knowledge.

One of these gaps is notably larger than many of the others. A quarter of users answered incorrectly when questioned on their ability to identify phishing threats. If we consider that phishing is involved in 32% of confirmed breaches and 78% of cyber-espionage incidents – this finding is concerning and unsurprising in equal measure.

The persistent threat of phishing 

Phishing remains an ever-present threat to businesses of all sizes across all industries. In fact, Proofpoint’s 2019 State of the Phish report, found that 83% of global infosecurity professionals experienced a phishing attack in 2018.

Across the board, respondents from a range of industries struggled with their understanding of the topic. Defence and Insurance were the lowest scoring sectors, answering 23% of questions incorrectly while Manufacturing and Transportation accounted for the most incorrect answers with 27% each.

Interestingly, the level of understanding demonstrated in the Beyond the Phish study doesn’t correlate with the same respondents’ ability to spot a phishing attack. The average simulated phishing attack failure rate of the respondents was 9%, compared to an average percentage of phishing questions answered incorrectly of 25%.

This tells us that while simulated email phishing attacks are a powerful way to assess end user weaknesses, they do not tell the full story.

Such tactics alone don’t give a complete picture of how well users understand the wide-ranging threat of phishing. Nor does it provide insight into the level of understanding of other key areas that can contribute to an attack such as password hygiene and data protection.

Closing the knowledge gap

Spotting gaps in user knowledge is one thing. Closing them is another. There is no quick fix. To increase user understanding of complex topics and bring about a change in behaviour, the only effective plan of action is comprehensive, ongoing training, that keeps pace with the cyberthreats organisations are facing.

This training should include regular assessments, education, reinforcement activities, and measurement of understanding.

To put this approach to the test, we compared two groups of Beyond the Phish report survey respondents: End users as a whole and end users participating in fully implemented training programmes.

The results speak for themselves. Users who receive quarterly cybersecurity training consistently  outperformed overall group averages. In some cases, significantly.

Particularly encouraging when it comes to protecting against phishing attacks, is the finding that users participating in ongoing training perform markedly better in categories relating to account authentication and mobile security.

With credential phishing attacks and account compromise on the increase, all organisations must rely more than ever on end users to make good security decisions.

Creating a security-conscious culture

Companies that fail to create a culture of cyber awareness and responsibility will always be the most vulnerable to attack. The human factor needs to be a key pillar of a company’s cybersecurity defences.

To shore up the line of defence that is usually overlooked – people – organisations should consider taking the following actions: 

  • Deliver comprehensive and continuous cybersecurity training to all employees, at all levels. This means not only training and refreshing end users on how to spot a phishing attack, but what to do when they occur and also eradicating any behaviour that can impact the security of your business.
  • Ensure employees are educated in cybersecurity best practices, for example practicing good password hygiene. Not all security incidents stem from an outside attack and teaching employees on how to keep sensitive data secure is vital.
  • Treat traditional phishing attacks with the importance they deserve. Ensure that your users know how to spot them and what to do if and when they occur. But know that to stand a greater chance of preventing such attacks, your security training must extend far beyond this.
  • Educating employees on the “why” as well as the “what”. Not just what a threat looks like but how it works, the motivation behind it and the ways that their behaviour can increase its success rate. That’s true not just of phishing, but of every security challenge faced by end users.

When awareness and understanding increases, behaviour changes. And that might just be the difference between a successful attempt and a successful attack.