Efficient Phishing Programs: 3 Common Problems and 1 Awesome Solution

By Kaustubh Jagtap

You hear it all the time. Teams tasked with improving phishing defense aren’t sure how many employees see, or even receive, the simulations they send.

It’s why CofenseTM has introduced the Cofense PhishMe Responsive Delivery™ capability in Cofense PhishMe™ Enterprise edition. This capability allows operators to send a phishing simulation only when targeted employees are actively using email. It also delivers the phishing simulation directly to the employee inbox, thereby bypassing any technical issues including gateway configuration changes and whitelisting complications. Additionally, having this capability adds another layer of automation to your phishing program, making it more effective and efficient to manage.

Following are 3 of the problems this new feature addresses. If you manage an anti-phishing program, these will surely sound familiar.

“Whitelisting really complicates delivery and reporting.”

Sometimes your email gateway is a blessing and a curse. Though it doesn’t catch every real phishing email, it’s configured to stop the majority—and in doing so occasionally also catches some of your simulations.

That’s a two-fold problem. Too often employees miss out on the chance to test their ability to catch a phish, which hurts your organization’s overall resiliency to phishing attacks.

Also, your anti-phishing program’s metrics get thrown off. Say you phish 500 employees. If 250 report the email and 250 fall susceptible, you wind up with a 1:1 ratio, which is pretty decent. But what if, thanks to whitelisting, 75 employees never got the email? Mathematically, your reporting is fine, but your employees’ true readiness will remain unclear.

 “We’re global, so scheduling is tough.”

We hear this one a lot. Eastern Time, Pacific Time, London, Tokyo, and Sydney times—when you want simulations to arrive when global employees are at work, scheduling can get complicated.

It’s one more thing to worry about, one more drain on your time. Running simulations across multiple time zones, cultures, and languages is daunting enough. Having to untangle time zones only adds to the headaches.

“If people aren’t on email when we send, we might miss them.”

Everyone is snowed under by emails these days. So when somebody isn’t on email for even a couple of hours, he or she may have 20 or 30 messages stacked up.

It’s easy for that person to miss the simulation you sent—the one you carefully crafted and scheduled, the one whose results you were eager to see. The teachable moment may have passed. If there’s no “evidence of life” on the email account, a simulation could be dead on arrival. Can you say “inefficient?”

The new Cofense PhishMe Responsive Delivery in Cofense PhishMe addresses these common delivery hassles. Give it a try! Don’t have it and interested? Learn more. 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

When Sharing Isn’t Caring: Phishing Attacks Are Abusing File-Sharing Sites

Cofense™ has predicted continued growth in phishing attacks that abuse file-sharing services, for example, Google Docs or Sharepoint. In this post, I’ll examine why and how threat actors are doubling down on this tactic.

First, here’s the full prediction from Cofense threat analysts Nick Guarino and Lucas Ashbaugh:

“The majority of phish seen in the wild in 2019 will live in historically ‘trusted’ sharing services like Google Docs, Sharepoint, WeTransfer, Dropbox, Citrix ShareFile, and Egnyte. It’s difficult for these services to keep up with the constant barrage of varied phishing tactics (Whack-A-Phish, anyone?). In fact, the service providers can be really slow about staying on top of this stuff. Traditional security tools (firewalls, anti-virus) have no insight into the files housed on these services. As a result, it is incredibly difficult to protect users against these phish hiding in plain sight.”

Why is file-sharing a target? Because users trust these services.

In a recent post on credential phishing threats, we referenced the cloud as an attack surface. One of the emotional triggers that a threat attacker will pull is trust. When users get an email pointing them to, say,  Dropbox, there’s a greater likelihood they will engage with the message. These services have become trusted brands, so it’s only natural for a threat actor to leverage them.

It’s difficult for email gateway controls to block messages that link to these cloud-based services. Because the file is hosted outside the organization’s perimeter, traditional security solutions such as firewalls or anti-virus don’t have visibility. Threat actors are well aware of this fact, which is why they’ve been so successful with these types of campaigns.

User interaction is related to the business process.

We often see threat actors use generic messages as shown in the example below. In it, you won’t find any brands that would make the user more likely to interact with the message. The likelihood of user interaction is related to the business process presented—easily shared files.

This particular organization has URL defense protections enabled. It has also added tags to the message to alert the user that it is potentially harmful, since it originated outside the organization. These additional defenses can be helpful, but they make it difficult for the user to assess if the URL is legitimate.

One thing you can do: focus your phishing defense program on current threats, like attacks that abuse file-sharing. Teach users to identify phishing emails that link to file-sharing sites and condition them to ask questions before replying, for example:

  • “Am I expecting to receive an invoice from the sender?”
  • “Does my job normally require me to process invoices from unknown sources?”
  • If yes, “Does our business process require the finance teams to validate that an invoice or purchase order is expected or legitimate?” This might be possible in a smaller organization where teams interact with each other more frequently, however, it’s most likely not the case in larger, more diverse organizations.

To repeat, as long as these types of attacks are successful, we will continue to see them near the top of the phishing charts.

View all 6 Cofense phishing predictions for 2019.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Here’s Proof that Corporate Board Members Want Stronger Phishing Defense

By Susan Mo

More and more, boards of directors are security decision-makers. One example: Cofense just published a case study on a company whose board lit a fire for a stronger phishing defense—and it’s paying dividends. 

This board took the lead in launching phishing simulations. 

A leading aviation company in my part of the world, Australia, has a highly public presence. Translation: any security issues would likely make headlines. So the board mandated an anti-phishing program. Using Cofense PhishMeTM, the company now runs phishing simulations to condition its employees to recognize and report phishing emails. 

The program is still in the early stages, but already the results are encouraging. User susceptibility to phishing emails has dropped by 10%. Moreover, the rate of users clicking on embedded links in emails has dropped by 9%. Further proof the program is not just effective but necessary: even members of the company’s security teams have fallen for simulations. 

And the best proof of all: “Our security teams are stopping attacks reported by employees,” said the General Manager of Technology and Innovation. Real users are helping to stop real phishing threats. 

For further details, view the full case study.

Cofense board reports show results and ROI. 

To make sure that boards and other leadership teams see results, Cofense provides free board reports to our customers. Cofense PhishMe customers can request a report from their dashboards or in Cofense Community. They’ll get an easy-to-read two-page summary of their program’s progress.

At a glance, each report shows susceptibility rates, rates of users reporting phishing, and the resiliency rate—that is, the ratio of users reporting emails to those that take the bait. A ratio of 1 reporter to 1 susceptible user is a good start. A rate of 5:1, for instance, would be very good. 

The reports also benchmark progress within a customer’s industry. If you’re in financial services, you can see how your anti-phishing compares to other Cofense financial customers. You can even zoom out to see a comparison covering over 20 major industries. 

One customer said their report gave them “the high-level ROI analysis our leadership needed.” It’s the kind of information security-minded boards require—and that security and awareness teams can use to justify budget. 

For a broader view of the role boards play in cyber-security, view this article in Forbes. 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

 

Expect Credential Phishing to Continue Surging in 2019

“Hackers don’t need to break in, they only need to log in.” This was a quote mentioned at a conference I attended last December and which I repeated in an e-book Cofense™ recently published, 6 Phishing Predictions for 2019. My prediction was that hackers will continue to go full bore with credential phishing, emails that specifically ask for username and password.  

October may be over – but phishing attacks never stop. Here’s how to make security awareness successful all year round.

Part 4 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 3 here.

As October comes to a close, so too does National Cybersecurity Awareness month. But not so fast – Security Awareness isn’t just about October. It’s all year long and it never stops, it’s ever evolving.

I developed this four-part blog series during National Cybersecurity Awareness Month to provide key industry insights and proven methodologies for building and enhancing your security awareness program. We started in week 1 with building a program strategy, followed up by discussing program content in week 2. Last week with focused on the alignment of the security awareness function with the organization. This week we’ll wrap up the series with some key findings published in the ISC2 Workforce Study. According to the report, lack of focus on security awareness is the top challenge for ensuring long-term security awareness program success.1

Figure 1, left and 2, right – Image source: https://www.isc2.org/Research/Workforce-Study

5 Ways to Bring Focus to Security Awareness Programs

As noted in the charts above, there are several reasons, all with fairly equal representation, as to why security awareness programs lack focus. I’m going to break down each of these reasons and explain how you can overcome that hurdle to bring more focus to your awareness programs.

  • Low security awareness among end users. This is a no-brainer. It’s important that security awareness programs are rolled out to everyone in the organization, not just select groups. While some programs start with training a few key groups to benchmark results, it’s important to get buy in to enroll the entirety of the organization to build resilience to attacks across all teams with on-going training.
  • Not enough skilled cybersecurity professionals available. This report cited end users – people – can lead to more security vulnerabilities*, so it’s no surprise to see that the security awareness function sits at the top of the chart as a much-needed area of expertise. Many organizations still assign this as a part time job function along with other security hats to wear, preventing focus. Instead, have a dedicated security awareness lead running the programs while working alongside other internal security professionals to ensure the programs remain well-rounded and effective.
  • Inadequate funding. Security awareness is a necessary and essential component to larger threat defense strategy and needs to be a budget priority in order to begin reducing your organization’s cybersecurity risk and building resiliency to today’s top threats. At some point, perimeter technologies will fail to stop a phishing attempt and it’s up to resilient, trained humans to recognize and report suspicious emails – thinking of this as a last line of defense is an area worth investing in.
  • Too much data to analyze. As more and more humans are enrolled and participating in security awareness program, that also means more data points to digest and analyze on the state of threat susceptibility, resilience, program participation and success. Identify and prioritize the key data sets needed to demonstrate the security posture of the organization and collaborate with security teams to report and analyze program trends to reflect changes in that security posture. This may include your organization’s phishing resilience and reporting rates, for example, compared with inflated metrics such as click rates or susceptibility rates.
  • Lack of management support/awareness. This is often one of the biggest hurdles in preventing a security awareness program from reaching its full potential and scope. Having management understand the necessity of security awareness as a foundational component of a strong threat defense strategy is key. An idea is to run a phishing simulation trial with key management members to understand how susceptible the organization is from the top down. Once management realizes how easy it is for a phishing email to replicate a real one, there might be more awareness and inclination to engage in security awareness practices than before.

You’ve Launched a Successful Security Awareness Program – How Do You Keep it Successful?

Every day is a new beginning when it comes to cybersecurity. Threats and vulnerabilities are always changing – so your security awareness program needs to be able to nimble and fluid to mitigate those evolving threat vectors. Behavior improvements are ongoing and so should your security awareness programs. Organizations are constantly under attack as the threat actors continue to find ways to get past technical defenses of an organization, such as perimeter technologies and email gateways.

How do you keep your program aligned with the current threats? Reach out to your cyber threat intelligence or incident response teams. These teams are constantly researching the current threat landscape and identifying if and what impact it has on the organization. Download the latest white paper on cybersecurity or threat landscape. Read technical blogs from trusted cybersecurity solution providers to stay abreast of current news and threat trends. Another great resource is setting up Google Alerts for key words: phish email, data breach, malware, cyberattack, cybersecurity, Cofense™, awareness training, threat intelligence.

Jumpstart Your Efforts Today with Free Security Awareness Resources

Remember that building a program takes time to evolve and mature. Recognize small wins for the organization and continue to move forward to mature the program. Just as the threats are never ending, so too is the security awareness function.

As you set your priorities for the program, don’t forget that Cofense provides a wealth of training modules for free, which includes specific topics and compliance modules to meet your regulation requirements. If you’re just getting started on building your security awareness program, there are plenty of free security awareness resources available to you when you’re on a shoestring budget, including a turn-key security awareness program kit, posters, presentations and other resources to get you started.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

References:

1Source: “Cybersecurity Professionals Focus on Developing New Skills as Workforce Gap Widens,” (ISC)² Cybersecurity Workforce Study, 2018

*Source: “Cybersecurity Professionals Focus on Developing New Skills as Workforce Gap Widens,” (ISC)² Cybersecurity Workforce Study, 2018

 

Where Do Security Awareness Programs Belong on the Org Chart?

Part 3 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 2 here.

For this blog series on building a security awareness program, we started in week 1 with how to build a strategy. Last week we discussed how to select and use content in your overall program and specifically your phishing program. This week we’ll focus on program alignment – in other words, where does the security awareness role report within an organization?

Security Awareness: Choosing Methods and Content that Work

Part 2 in our 4-part series in support of National Cybersecurity Awareness Month. You can read part 1 here. 

Last week we examined the importance of setting a strategy and goals for your security awareness program.

Now that you’ve selected the user behaviors you want to address, the next step is to think about methods and content to nudge users to the correct behaviors.

We live a fast-paced world of information overload. You have seconds to get your message across to engage your users. You need to choose proven learning methods and focus your educational content on the behaviors that matter most. More than anything, your training must be simple and to the point.

Simulations Are the Best Way to Teach the Right Behaviors

Everyone has a different style of learning and consuming information – video, newsletters, blogs, computer based training modules (CBT), etc. According to the National Training Laboratories (see charts below) people retain more information from simulations than any other method.

After years of enabling companies to run simulated phishing campaigns, we have a vast amount of data to support this method of learning. The experience of clicking and having that “Oh no, what just happened?” moment, is really how the recipient learns.

Running a simulated phishing attack IS the learning moment. It’s not the education presented during the campaign on the website or attachment. This is also supported by the data we see over the years of capturing how long the user stays on the page to read the education. They don’t – the largest segment of users falls in the 0-9 seconds range for “time spent on education.” Yet the data indicates a reduction in susceptibility rate and increase in reporting rate.

The data also supports the reduction in susceptibility as we look at the number of campaign it takes to reduce that click rate. When you’re trying to address perpetual clickers, increase the number of campaigns while shortening the time between campaigns. When increasing the number of campaigns, focus on the active threats in order to reduce the risk faster.

Source: 2015 Cofense Enterprise Resiliency Report

Focus Your Training on Real Threats

As you start to condition users to report real phishing emails, not just simulated phishes, you’ll want to focus on malicious emails that are getting through the spam filters. In other words, base your simulations on the real attacks your company sees. This will help your users quickly spot the real thing. The goal is to build a resilient workforce that can identify and report potential malicious emails quickly. This drives down the risk to the organization, allowing the security team to mitigate the risk and avoid an incident.

You will never get to a zero click rate. Phishers are too smart. They craft their emails to look like they’re part of your normal business processes, especially financial transactions. They also constantly change techniques to avoid controls that block their messages.

So, what does this all mean when we talk about educational content? If you’re focusing on behaviors that you’re looking to improve, you don’t want to hit users with content overload. Instead, create a plan for covering a theme to each quarter. Use this theme in your newsletters, videos, or learning modules. However, allow for flexibility to shift if a threat is now affecting your organization (HeartBleed, Meltdown, etc.).

Let’s take one more example of using content to nudge the user to the right path. It’s the example used in last week’s blog on program design—how to change users browsing behaviors. Presenting the user with a simple banner at the moment they’re exhibiting the wrong behavior, we can direct them to take the right action. You can adjust this banner as the behavior changes. Once you curb their habits to click through to unknown sites, your metrics may reveal category that needs to be addressed – such as software downloads.

Cofense recognizes that you have regulatory and compliance requirements to provide annual security awareness training to our organization. To help you focus your resources to elements of your program that actually make an impact, we provide a series of modules for FREE to any organization (even if you’re not a customer).

http://cofense.com/awareness-resources

In summary, keep your security awareness content simple with clear direction—and even better, fun and engaging—and you’ll soon be able to experience a shift in behavior!

Recommended reading: If you’re looking to expand your knowledge on how to create content and simple messaging for your program, I suggest getting a copy of Made to Stick, Why Some Ideas Survive and Others Die, by Chip and Dan Heath.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Phishing Enables Domestic Violence. Education Can Help Stop It.

According to estimates, approximately 760 people, or more than two per day, are killed by their partners. Most of the victims are women.1  Making matters worse, abusers use “stalkerware” to track their victims online, cutting off sources of income, isolating them from friends and family, and otherwise trying to control every aspect of their lives.

Building a Security Awareness Program? Start with Strategy and Goals

Part 1 of a 4-part series on building and maintaining a security awareness program, in support of National Cybersecurity Awareness Month.

In 2011, I began my journey into security awareness. At that time, there were limited resources and most programs were still compliance focused. Even though I had previously spent 5 years in IT compliance, I knew this wasn’t the right approach to get users to learn or care about security. I kept telling the director that owned the role, “Compliance focus is wrong –you have to market to the users.”