It should come as no surprise that the holiday season inevitably means an increase in scams and financial fraud. Long gone are the years where we only needed to worry about theft as a result of home burglaries and car break-ins. We not only need to worry about leaving store purchases and gifts in plain view in our cars or homes, but our credit card information being transmitted in plain text via payment services, and the ever increasing threat of phishing and ecommerce scams targeting holiday shoppers.
You're probably thinking security awareness training for employees is a no-brainer, that you shouldn't have to sell the idea up the ranks. However, with several other technology controls in place for securing your organization, you may be faced with a surprising "what's this...is this really necessary" when you slide that line item into next year's budget.
So you re-consider what you have budgeted and entertain a once-a-year, check-the-box option to satisfy compliance needs. But how much will your organization benefit from this status-quo approach?
Getting signoff for a security awareness training program that actually works can be much harder.
But it doesn’t have to be. With a little research and a few calculations, you can produce a business case for security awareness training that holds up even under purely financial scrutiny.
Cybersecurity is a field defined by its dynamism, as is crime. When analyzing trends to assess the future of these two
frequently overlapping spaces, the most efficient way to separate persistent threats from hype is by asking not just where the money is, but what the easiest way is to get it. While ransomware has had a lock on headlines all year, the most recent news stories all seem to emphasize increases in attacks targeting educational institutions, state and local governments, and healthcare organizations. Let's examine why this change from shotgun targeting to more focused targeting is happening.
Everybody knows phishing is costly to their organization.
But how costly? Few organizations know for sure.
Plenty of studies have claimed to calculate the cost of phishing, but the results are usually hard to swallow. For instance, does phishing cost your organization $1.6 million per incident? Or $3.7 million per year?
Perhaps... but probably not.
The issue with these figures is that they're averages, heavily skewed by data from huge organizations. The results may be interesting, but they're of little use to most organizations.
Most security awareness training is boring, infrequent, and ineffective. And the worse part is… everybody knows it.
But why? How did we get to this point? And who does all this sub-par security awareness training benefit?
To answer these questions we’ll need to examine one of the main drivers: Compliance.
Gaining the buy-in from executive leadership and employees within your organization to conduct phishing as a form of security awareness training can often be a daunting task. Proper training programs are extremely effective in conditioning employees to identify threats, yet security teams we speak with are often met with a lot of resistance. Employees feel that the simulations are deceitful and used to point fingers.
If you are faced with these objections, read our post on Hitting Back at the Security Awareness Training Naysayers for why high quality security awareness training is far from a waste of time and money, and how it truly enhances the knowledge and behavior of your users.
Cyber Security Awareness Month presents us with the opportunity to catch up on security trends, gauge our security posture, and assess what gaps and exposure may exist. Do we have blind spots? Or are we overlooking assets readily available to us?
We all know spam filters do not catch 100% of spam, and 1.5% of spam contains malicious links. So when you have one in five employees clicking on phishing emails, you are at risk. This is not news, right? We all know there is no magic bullet for cyber security, and the best that we can hope for is a strong defense.
When planning the best defense, we often overlook that the best defensive line is right in front of our faces – our employees. We often think of them as our liability because no matter how many technology controls we put in place, we know statistically that 1 in 5 of them is going to click on a phish. This week's #CyberAware focus will highlight how, with proper training – and we’ll talk about what ‘proper’ is – you can condition your employees to not just avoid falling for phishing emails, but to actively report phishing attacks to your security team. You can make your employees part of your defense.
If you have been following our Cyber Security Awareness Month series, we applaud you for taking steps to become #CyberAware. We want you to be in best position to keep your organization safe and prevent the next attack.
If you're just joining us, no worries! We will walk you through the actions you should be taking to prevent attacks like ransomware from gaining a footholinside your network.
Around 1.5 percent of spam emails contain malicious attachments or URLs, along with content designed to manipulate people into opening them. This technique, known as phishing, has become an overwhelming favorite of threat actors in the past few years, primarily because it’s a cheap, effective, and a fast way to compromise targeted networks. Phishing has been far and away the most popular delivery method for ransomware, and the continued evolution of text-based social engineering attacks has been a significant factor in the rise of ransomware.What should we do about it? For starters, we must stop being easy targets. Education is the key. Here you will find a comprehensive list of resources for fighting back. Let's get started!
Note to readers: PhishLabs will be represented by Paul Black at MalCon 2016 in Puerto Rico from October 18-21. At MalCon 2016, Paul will review the evolution of malware targeted at banks and financial institutions, reviewing notable trending data and methods to combat them. Contact PhishLabs for ongoing concern, questions and a deeper dive into the latest remediation techniques.
The cat and mouse game between malware researchers and threat actors operating banking Trojans began with the creation and propagation of the Zeus banking trojan in 2007. Since Zeus’s release, the number of banking trojans has increased continually, yet the anti-analysis mechanisms used by cybercriminals to obstruct researchers appear to have plateaued.