KnowBe4 Report: 2019 Phishing by Industry Benchmarking

How are you doing compared to your peers of similar size?

As a security leader, you’re faced with a tough choice. Even as you increase your budget for sophisticated security software, your exposure to cybercrime keeps going up! IT security seems to be a race between effective technology and clever attack methods. However, there’s an often overlooked security layer that can significantly reduce your organisation’s attack surface: New-school security awareness training.

The 2019 study analysed a data set of nearly nine million users across 18,000 organisations with over 20 million simulated phishing security tests. In this report, research from KnowBe4 highlights employee Phish-prone™ percentages by industry, revealing at-risk users that are susceptible to phishing or social engineering attacks. Taking it a step further, the research also reveals radical drops in careless clicking after 90 days and 12 months of new-school security awareness training.

Top 3 industries by company size.

Do you know how your organisation compares to your peers of similar size? Download your report to learn more about:

  • New phishing benchmark data for 19 industries
  • Understanding who’s at risk and what you can do about it
  • Actionable tips to create your “human firewall”
  • The value of new-school security awareness training

Phishing vs Spear Phishing

The Osterman Research White Paper ‘Best Practices for Implementing Security Awareness Training’ reveals a wide range of issues that concern security professionals. One of which being more than 90% of organisations report that phishing and spear phishing attempts reaching end users during 2018 are either increasing or staying at the same levels.

While phishing and spear phishing attacks are similar, there are many key differences to be aware of.

A phishing campaign is very broad and automated, think ‘spray and pray’.

It doesn’t take a lot of skill to execute a massive phishing campaign. Most phishing attempts are after things like credit card data, usernames and passwords, etc. and are usually a one-and-done attack. 

On the other hand, spear phishing is highly targeted, going after a specific employee, company, or individuals within that company.

This approach requires advanced hacking techniques and a great amount of research on their targets. Spear phishers are after more valuable data like confidential information, business secrets, and things of that nature. That is why a more targeted approach is required; they find out who has the information they seek and go after that particular person. A spear phishing email is really just the beginning of the attack as the bad guys attempt to get access to the larger network.

Network Utilities partner with KnowBe4 to help our customers keep users on their toes with security top of mind. Effective new-school security awareness training helps reduce risk and strengthen an organisation’s human firewall.

KnowBe4 named UK’s Security and Consultancy Provider of the year

KnowBe4, the provider of the world’s largest security awareness training (SAT) and simulated phishing platform, announces it has won Network Computing’s Security Training and Consultancy Provider of the Year award.

KnowBe4’s CEO Stu Sjouwerman said, “We are very happy to win this award and are committed to the UK market. We’ve seen explosive growth with organisations recognising the need for training to improve their security culture. Additionally, we are working with UK based organisations such as Twist and Shout to continue to provide relevant and Netflix quality content.” Sjouwerman further noted, “We are also very proud of our UK team for their dedication to our customers.”

According to Verizon’s 2019 data breach investigation report, Phishing was the #1 threat action used in successful breaches linked to social engineering and malware attacks.

Network Utilities partner with KnowBe4 to help our customers keep users on their toes with security top of mind. Effective new-school security awareness training helps reduce risk and strengthen an organisation’s human firewall.

Sources:

A Deep Dive on How to Catch Phish

The modern email threat. The simple plain text email appearing to come from the CEO asking the junior finance or accounts payable team member to immediately settle the overdue invoice from an irate supplier, that has just called them personally to complain.

Call it Business Email Compromise (BEC) or CEO Fraud, it’s still a targeted phishing attack, and the number of incidents has been rising steadily. Trend analysis here at CensorNet shows that these emails will soon account for 1% of all emails processed – or 1 in every 100 messages our customers receive.

Defending against this particular threat continues to be a major focus for the team, and an area of significant innovation and investment.

Whilst FBI Operation WireWire resulted in the arrest of 74 individuals in multiple countries last week – that still leaves plenty more Phish in the sea.

The problem with CEO fraud email messages is that they are notoriously difficult to detect.

In a recent attack, the only attribute of a message that was changed was the ‘Header From’ field. The display name in Outlook (other email clients are available) showed the CEO’s name.

(Note: Even the From address in < > next to the display name showed something similar to this email address – donotreply@executiveteeammailbox.com – which should have been enough to alert the user, but security education is not the topic of this blog post).

Nothing about the sender or sending server was suspicious. The IP address was not in any blacklist, the MX record was valid, the sending server matched domain and responded to an smtp probe. There was no SPF record.

We’re still undecided as to whether this makes the attacker super-smart or simple-stupid. The simplicity of the attack meant the message was likely to make it through most email defences, but would rely heavily on the recipient user being half asleep.

What this example does provide, is crystal clear evidence of the need for an ultra-modern and multi-layered approach to email security.

Traditional pattern matching / recurrent pattern matching technology is as much use as a chocolate teapot.

Content analysis – looking for message content that includes ‘urgent wire transfer’ or similar language can be effective but comes at a price. And that price is a risk of false positives – incorrectly identifying legitimate emails as ‘Suspect’.

Although, you could argue that quarantining the occasional message chasing payment of an invoice will help cash flow and is still better than inadvertently transferring $25,000 to an account in China or Hong Kong.

Algorithmic analysis is a powerful weapon in the arsenal for identifying scam emails, but even with over 1,000 algorithms examining over 130 elements of the message (in less than 200ms, about half the time it takes to blink), there was little (read nothing) to fire on in this case.

What was interesting about this particular attack was the domain that was used. It wasn’t a recently registered or new domain – it was almost a month old. It wasn’t a nearby domain (or cousin or typosquatting domain), so Levenshtein distance (one of our favourite algorithms due to its power and simplicity) wasn’t helpful. But. The registrant had a history of criminal activity – registering domains and using them in attacks – and that meant a high threat intelligence risk score.

What the attack also highlights is the need to identify the real names of key individuals in external emails – particularly in ‘Header From’. Building a list of names of the executive team and board members, and anyone else that’s an active spokesperson for the organization, and quarantining messages that contain those names, might not be sophisticated but is still a very valid defence.

As a last resort, some email security solutions rely on the user entering in to a conversation with the attacker – asking for more details about the outstanding invoice, or exactly what detailed (confidential or personal) information the sender needed – building up a risk score with each message exchange until a threshold is reached.

CensorNet invest in combining technologies and techniques that identify and block the initial inbound email. Tracking smtp conversations is still interesting. If a user receives an email from a sender for the first time that also contains potentially suspicious content, then a banner across the top of the email advising caution might just be enough to cause them to stop and think!

Ultimately a combination of content analysis, threat intelligence and executive name checking would have stopped this super-smart, simple-stupid attack. Is it time to think differently about email security.

Ultra-modern, multi-layered defence wins again.

Source: https://www.censornet.com/resources/blog/

Webinar Recording: Why Phishing Attacks Work & What You Can Do About Them

It is generally accepted that by far the greatest risk to the security of your corporate data are your employees themselves who may unwittingly fall victim to phishing attacks. Industry figures indicate 60% of UK office workers receive a Phishing email at least once a day.

Yet a YouGov study funded by Bluecoat indicated that just 6% of British employees have received training in how to deal with phishing attacks. Find out in 15 minutes what you can do to significantly reduce the risk of a user unknowingly installing malware in your organisation.

Stop Phishing Attacks – Harness The Power of Your Human Sensor Network

By Malcolm Orekoya, Senior Technical Consultant at Network Utilities

MalcolmViews expressed in this post are original thoughts posted by Malcolm Orekoya. These views are his own and in no way do they represent the views of the company.

In the security world the ability of any system to proactively or reactively deal with a security threat is highly reliant on the systems sensors, that is, the ability for the systems to detect threats. This detection process can be based on a myriad of characteristics, heuristics, behaviours etc. that make it possible for the system to differentiate between what is normal and what is abnormal in the context of the type of traffic that system processes on a daily basis. Once the threat is detected the system can then react to it by performing some sort of mitigating action.

The success of security initiatives relies on the implementation of layered security defences, and at a high level the major layers of infrastructure networks most widely considered are the endpoint (or host) layer, the application layer and the network layer. All the detection systems such as firewalls, intrusion preventions systems (IPS), distributed denial of services (DDoS) systems, anti-virus, web application firewalls (WAF) etc. deployed at these layers rely on early detection of abnormal activity in order to function optimally. But why is the human layer seldom considered when it comes to detecting abnormal behaviour on the network? Especially when it pertains to the type of threats that specifically target human vulnerabilities, such as malware, advanced persistent threats (APT) and phishing.

The one constant factor that exists at all currently considered layers of security is the human element. It is often said that humans can be the weakest part of any security system and this can be, for example, because people are capable of making configuration mistakes. So to counter this, training is provided to individuals who manage these systems in order to minimise the risk of such mistakes. However training is seldom considered to educate people on how to detect abnormal activities in their interactions with day to day systems such as emails, browsers and websites. How does an employee detect the difference between an email with a legitimate attachment and a malicious one? Or a legitimate website and a phishing website? Education is the answer; or rather Educate, Test, Review, Repeat might be a better sequence of activities to combat this.

The idea here is to educate people on these threats and its various guises, test their understanding and responses to the education, review the results of such tests and then repeat the entire cycle periodically over and over again. Do not simply assume that everyone within your organisation should know how to spot and react to phishing attacks. We assume most people that work within the IT team do but it is easy to fall victim to what are nowadays very sophisticated and deceptive phishing attacks.

From a defence in depth security perspective, the end goal here is to cover all bases by creating a human sensor network within your organisation, where the human element becomes an integrated part of your security systems sensors ability to detect threats. In many cases we already enable people to become part of the organisations security alert system, for example, in offices where an unrecognised person can be stopped by anyone, anywhere within the office premises if they are walking around without an identification badge visibly displaying who they are.

Over the last couple of years there have been numerous publications that have highlighted that the wide spread infection of endpoint devices by malware and growth in cyber espionage have increasingly featured phishing. This is due in part to the lack of effective awareness and training being provided to the humans that are essentially the first point of attack for phishing activity. By transforming this first point of attack into an effective detection sensor you are creating a network of human sensors, which can hugely reduce the number of people that fall victim and subsequently reduce the success percentage of phishing campaigns. Usually in a more cost effective and efficient manner than most other technologies out there.

Want to know more? Please get in touch via info@netutils.com and visit http://www.netutils.com/phish5.php to find out how proactive user security training can help you stay protected.

About Malcolm
As Senior Technical Presales Consultant at Network Utilities Malcolm consults and advises on specialist IT Networking, Security and Service Management requirements.

Phishing- Are you ready to be caught out?

By Anthony Mortimer, Account Manager, Netutils

AnthonyMortimerViews expressed in this post are original thoughts posted by Anthony Mortimer. These views are his own and in no way do they represent the views of the company.

In the age of commercialised hacking, organisations are experiencing greater frequency and sophistication of attacks than ever before, this is driven simply by the commercial value corporate data represents to criminals. According to Trend Micro 90% of all known successful data breaches in 2012/2013 were attributed to Phishing attacks.

At Netutils we see and talk to a broad range of organisations all with very different views to the risk these threats pose. For many smaller organisations the presence of a firewall and basic security is seen as sufficient; but here’s why these smaller businesses should be concerned.

For a start criminals are now regularly targeting suppliers or customers of big organisations as the staging point to attack the bigger network. More importantly we are seeing a trend for large businesses to dictate security policy to their suppliers for them to continue to trade with them or to win new contracts.

A significant growth area is in the use of targeted Phishing emails and more focussed spear phishing attacks tailored to specific individuals based on pharmed data. These types of attacks are becoming more difficult to mitigate against putting significant stresses on IT department’s budgets.

We have witnessed organisations handling these threats with 2 broad methodologies:

  • Deployment of technology to counteract attacks
  • End user training

It is generally accepted that by far the greatest risk to the security of your corporate data are your employees themselves who may unwittingly fall victim to phishing attacks. According to industry figures 60% of UK office workers receive a Phishing email at least once a day. In addition the greatest issue with regards to end user training is that for most organisations it is difficult to deliver such a course in a way that will make a real difference. Businesses will often run a single awareness session and hope that will mitigate the risk. Unfortunately Phishing attacks are dynamic, although they follow a similar pattern the content and mechanisms change, unless staff are made aware of these on a regular basis the training deployed may only have value for a few weeks after delivery until a new form of attack is devised.

The second method of combating these threats is via the deployment of technology, this poses real issues to businesses and it can be argued many traditional signature based solutions offer little real protection. This is essentially because they rely on a known database of attack signatures to spot and block an attack. However with the rise in commercial hacking activities self-service malware portals can provide the enterprising hacker with a unique piece of malware for as little as $100 that can sit undetected on corporate machines, up until it is discovered and the signature published.

At Netutils we believe that effective mitigation requires a layered approach to handling these issues. At the heart of our solution set are 2 key elements: ongoing security training via our interactive training platform (PhishAware) and cutting edge signature less technology.

If you have any concerns about the impact of Phishing in your business then do please contact a solutions expert from our team on:

t: 020 8783 3800
e: info@netutils.com

PhishAwareTrial