Unless you’ve been living under a rock for the past decade, you’ve already heard of phishing.
After years of research, analysis, and first-hand experience, here's what we’ve learned:
Phishing is a big deal.
Last month we held a webinar, with the aim of helping organizations to fight back against phishing. Hosted by Crane Hassold, our Senior Security Threat Researcher & former FBI analyst, and Dane Boyd, our Lead Solution Manager, this was one of the most comprehensive and entertaining webinars that we have hosted on phishing and security awareness training.
In this article we’ll give you the highlights of the webinar, and help you understand why and how your organization should combat phishing attacks.
On behalf of the PhishLabs R.A.I.D., I'm proud to announce that the 2017 Phishing Trends & Intelligence Report has been released. As with last year's edition, the report provides first-hand, in-depth view of the events and trends that are shaping the phishing threat landscape. It provides insight into the major trends, tools, and techniques used by threat actors to carry out phishing attacks. It also provides the context and perspective needed to understand why these changes are happening.
We’ve also covered the main causes of healthcare data breaches, and noted that powerful security awareness training is the most natural starting point for security conscious healthcare organization.
But so far, we haven’t really covered what should be included in a healthcare specific security awareness training program. After all, while some aspects of security are relevant to every industry, healthcare organizations are faced with a few highly specific problems that need to be addressed.
Before we consider what should be included, though, it’s worth looking at things from another perspective.
Let’s face it, being a healthcare CISO isn’t an easy job. The environments are complex, the staff are almost exclusively non-technical, and as of 2015 healthcare is officially the most attacked industry.
But what is it about healthcare that makes it so uniquely difficult to secure? If gambling websites and financial institutions can (for the most part) avoid major breaches, why can’t hospitals and private clinics?
On the face of it, there’s really only one reason to invest in security awareness training: To avoid breaches, and save money. In reality there’s a bit more to it than that, but let’s stick with this assumption for now.
It should come as no surprise that the holiday season inevitably means an increase in scams and financial fraud. Long gone are the years where we only needed to worry about theft as a result of home burglaries and car break-ins. We not only need to worry about leaving store purchases and gifts in plain view in our cars or homes, but our credit card information being transmitted in plain text via payment services, and the ever increasing threat of phishing and ecommerce scams targeting holiday shoppers.
You're probably thinking security awareness training for employees is a no-brainer, that you shouldn't have to sell the idea up the ranks. However, with several other technology controls in place for securing your organization, you may be faced with a surprising "what's this...is this really necessary" when you slide that line item into next year's budget.
So you re-consider what you have budgeted and entertain a once-a-year, check-the-box option to satisfy compliance needs. But how much will your organization benefit from this status-quo approach?
Getting signoff for a security awareness training program that actually works can be much harder.
But it doesn’t have to be. With a little research and a few calculations, you can produce a business case for security awareness training that holds up even under purely financial scrutiny.
Frustrating, isn’t it?You put all that effort into designing a security awareness training program…
But is it helping keep your organization safe? Or is it just satisfying your compliance requirements?
The truth is you have no idea. After all, how can you measure return on investment (ROI) for something intangible like security awareness training?
Everybody knows phishing is costly to their organization.
But how costly? Few organizations know for sure.
Plenty of studies have claimed to calculate the cost of phishing, but the results are usually hard to swallow. For instance, does phishing cost your organization $1.6 million per incident? Or $3.7 million per year?
Perhaps... but probably not.
The issue with these figures is that they're averages, heavily skewed by data from huge organizations. The results may be interesting, but they're of little use to most organizations.