Threat trends are in constant shift as cybercriminals focus their efforts on different strategies that are more effective at helping them breach a network.
Phishing emails is one strategy that has risen in popularity since 2011, according to Verizon’s Data Breach Investigation Report (DBIR) 2015. Four years ago spyware and keylogging malware dominated the threat trends. Now, phishing has become an effective attack mode for attackers as the first phase of an attack campaign to gain a foothold in a network and then work from there.
Cybercriminals know that the human factor is the weakest link in any network environment. So, rather than hunting for vulnerabilities, they opt for a strategy that exploits the human factor: phishing. The report points out, “More than two-thirds of e-mails of incidents that comprise the Cyber-Espionage pattern have featured phishing.”
Although the human factor is the weakest link, some departments in companies are more susceptible to phishing emails than others. Some of the most susceptible departments are communications, legal, and customer service.
What adds more to the problem is that phishing campaigns can spread like wildfire.
“Nearly 50% of users open e-mails and click on phishing links within the first hour.”
Of those 50%, the median amount of time it takes users to open emails is 1 minute and 22 seconds. That is not enough time to detect an attack let alone mitigate it.
Regardless of what type of security measures an organization uses—phishing filters, anti-virus software, firewalls, etc.—none of them matter if someone on the inside hands a cybercriminal the keys to the front door. The answer to mitigating phishing campaigns is stopping them before users click on that first malicious link.
Although the concept of security training for employees has been beaten to death, it remains the best way to mitigate phishing campaigns. Employees will not know how to recognize phishing emails unless they are trained to do so. Companies cannot afford the $550,000 it takes to recover from data breaches. Security training should be frequent enough to help employees remember to remember how to recognize and report a phishing email, but not so frequent that they become background noise in employees' ears.
Apart from training, companies can get help from penetration testing providers. Penetration testing providers can engage social engineering tests for a company. This helps a company determine weaknesses in specific departments or individuals. Once a company knows where there is room for improvement, a plan of action can be implemented. It may even be beneficial to perform more than one penetration test to determine whether or not employees learned what they were supposed to in training. Penetration testing providers can be expensive, so one test a year may be all a company’s budget will allow. But the cost of a penetration test is less expensive than a breach caused by a phishing campaign.