By Eyal Benishti
Phishing Awareness Training focused solutions are not aligned with today’s advanced persistent threats, business email compromise and ransomware attacks that require a more holistic and integrated approach to phishing mitigation.
Last November, I was asked to make a couple of cybersecurity predictions for 2018, and while it’s only February, it sure appears that one of my primary predictions hit the nail on the head:
“Sensing the frustration of their customers and realizing how complex phishing emails have become, both secure email gateway and computer-based employee awareness and training program providers will accelerate the consolidation of their respected market sectors through mergers and acquisitions that can cover gaps in their existing services and solutions such as automation and orchestration.”
Since the calendar flipped, Barracuda Networks has announced its acquisition of PhishLine to add what it said were “new capabilities to deliver integrated, adaptive security awareness training.”
Additionally, Proofpoint recently announced its forthcoming acquisition of Wombat Security to “provide the industry’s first-ever integration of market-leading protection and awareness offerings.
Such M&A activity comes on the heels of security vendors such as Trend Micro and Sophos consolidating offerings with computer based training (CBT) modules to help educate staff on the latest security issues and vulnerabilities. Sophos even offers customizable security training programs that can include a program guide, employee handbook, online videos, buy-in documents, hands-on technical workshops, and webinar-based training sessions.
For years we’ve heard cybersecurity “experts” pontificate about the necessity of phishing awareness training; proclaiming that all organizations – regardless of size, location or revenue – invest time, money and resources into phishing prevention education for all employees. Largely, the business community has been complicit to such advice, and as such is expected to pump in $10 billion to security training and awareness solutions by 2027, according to Cybersecurity Ventures. However, recent M&A activity suggests such speculation might need to be revised.
Highlighting the Failures of Phishing Awareness Training Tools
Not many in security want to admit the reality that the mass investment in security awareness training tools and modules have not correlated into transformational improvements in phishing mitigation. Today, phishing continues to be the root cause for approximately 95 percent of all cyberattacks worldwide. The proliferation in frequency of modern advanced persistent threats (APTs), business email compromise (BEC) and ransomware attacks has made it all but impossible for preoccupied employees to single-handedly spot malicious emails on a recurring basis.
Just how bad has the phishing epidemic gotten in spite of the prevalence of phishing awareness training programs? Here are some data points to consider:
- According to SC Magazine UK, 96 percent of business we’re hit with BEC attacks in 2H 2017.
- During the first six months of 2017, the Anti-Phishing Working Group (APWG) identified more than 590,000 unique email phishing attacks and hundreds of thousands of illegitimate phishing websites.
- According to the Symantec 2017 Internet Security Threat Report, more than 400 businesses are targeted with business email compromise (BEC) scams every day and ransomware increased by 35 percent.
Additionally, our internal data, which is based on more than 7,000 simulated email phishing campaigns reveals that:
- Only up to 10 percent of lured employees voluntary take training without being consistently reminded.
- While click rates begin to rise after initial benchmark phishing awareness training campaigns conclude, in less than one year after initiating the click rates return to their original benchmarks of 20-50 percent.
With 239 billion emails sent worldwide each day, humans are simply no match for the frequency of today’s email various email phishing techniques. Sure, there is value in employees having a baseline of phishing knowledge, but organizations must be realistic about ROI of such training.
Driving Market Consolidation: A Frustration with Point Solutions
I’ve written extensively about the myths of security awareness training that vendors don’t want the public to know and about the impossibility of training employees sufficiently enough to never miss a single malicious email. After all, it only takes one small mistake on the behalf of an employee to circumvent even the most complex and advanced security systems. So, aside from phishing’s continued success, what’s occurring that’s prompting the consolidation movement to gain steam? That’s simple – a frustration with point (imperfect) solutions.
One of the primary inefficiencies of phishing awareness training is that it is merely a point solution in which success is predicated on changing human behavior. Putting the daunting task of changing human behavior aside, point solutions have come under increasing scrutiny for its inability to serve as a holistic phishing risk mitigation solution.
An article in CSO noted many security point tools aren’t designed to communicate with one another. This leaves it to humans to bridge the gaps in intelligence and communications, and that requires more training and support for deployment and configuration. “More tools, more needs…there simply aren’t enough eyeballs, hands or hours in the day to make this jerry-rigged security model work,” CSO said.
But even if and when a trained employee does spot a malicious email, security and awareness training tools provide no recourse for remediation. Employees must simply submit their finding to the SOC team, which can have weeks-worth of phishing email backlogs to investigate. During such time, the phishing email remains within employee inboxes and the threat persists as active.
In response to today’s threat landscape and the inefficiency of point solutions like phishing awareness training tools, Chief Information Security Officers (CISOs) are adjusting their strategies looking to automate security incident response, and many are consolidating the number of cybersecurity vendors they do business with. Many are requiring new solutions that have broader integration and can operate with other security technologies. Legacy phishing awareness training companies do not fit into this mix, thus prompting the consolidation trend in hyper-drive.
The IRONSCALES Platform: A Holistic & Multi-Layered Approach to Phishing Mitigation
For CISOs in need of a holistic approach to phishing mitigation, IRONSCALES is the first and only phishing mitigation platform designed for pre-and-post email delivery, always assuming that emails will pass through the prevention layer. The platform consists of four modules that work in tandem to prevent, detect and remediate email phishing at all phases of an attack’s lifecycle. The platform utilizes advanced mailbox-level anomaly detection to analyze employees’ mailbox behavior to protect against hyper-targeted phishing attacks such as BEC both before and after each bypass all gateway level solutions and lands in an inbox.
It’s simple – the IRONSCALES platform enables organizations to mitigate the risk associated with the technological, operational and human challenges inherent to phishing attacks. Our multi-layered and automated approach to prevent, detect and respond to phishing emails combines micro-learning phishing simulation and awareness training (IronSchool), with advanced mailbox-level anomaly detection (IronSights), automated incident response (IronTraps) and real-time automated actionable intelligence sharing (Federation) technologies. By providing protection at every stage of an email phishing attack, IRONSCALES’ customers reduce the time from email phishing attack discovery to enterprise-wide remediation from days, weeks or months to just seconds, with little to no security team involvement.
Rumors of other phishing awareness training companies looking to exit are gaining steam, and I don’t think it will be long until more follow suit, or such point solutions risk becoming obsolete.
The time to invest in a comprehensive anti-email phishing solution is now.
(From IRONSCALES blog).