Teaching Security Awareness Effectively
With the increase in remote work over the past year, it was inevitable that we would see a rise in phishing attacks. Thus, we were not surprised when the Verizon security report detailed that phishing attacks increased by 11% from 2019 to 2020 and that 85% of breaches involved the human element. According to CSO, 94% of malware targeting organizations in 2019 was delivered through email and phishing attacks cost businesses an average of $17,700 per minute.
Many companies respond to this rise in phishing attacks with more phishing training and simulations. However, (and we are at risk of angering an entire industry with this) phishing simulations and forced training can often be counterproductive and actually contribute to a security culture built on shame instead of a culture built on productivity and common goals. Moreover, many companies go the extra step and penalize employees who fail phishing simulations too many times, even threatening to fire repeat offenders, which simply adds stress and worry to the mix.
The reason is simple. Phishing simulations create an “Us vs. Them” mentality between employees and the security team, as though the security team is playing a game of “Gotcha!”. Rather than allies then, the security team becomes the opponent. In addition, phishing simulations can be insensitive or hurtful, such as when Tribune Publishing Company sent a phishing simulation that pretended to offer a monetary bonus to employees during the recent lockdowns. Or when one of our engineers (in a previous role) accidentally set up a phishing campaign for a client masquerading as an employee from Human Resources who had recently passed away.
Furthermore, once employees feel targeted by phishing simulations, they are less likely to pay attention during security awareness training or even go so far as to sabotage the training or simulation. As a result, employees aren’t trained in identifying phishing attacks and are less likely to report an incident when they, or a colleague, fall victim to a real attack.
Thus, instead of shame based phishing simulations, security teams should focus on positive reinforcement such as regular phishing training (not simulations), communicating with employees on security issues, encouraging employees to reach out to the security team with questions or concerns, and public acknowledgement or rewards for the first employee to report a real phishing email. With these types of activities, employees and the security team become partners in creating a positive atmosphere instead of a culture based on shame... shame… shame.
The Business Cost of the SolarWinds Attack
We often focus on the actualized business cost of security breaches and stories. The reason for this focus, as we explained in a previous blog post, is because security often needs to justify their budgets. Thus, we were excited to see the results of a survey about the recent SolarWinds breach from IronNet. According to respondents from the United States, the financial impact of the SolarWinds attack was an average of 14% of annual revenue, or around $12 million per company.
Other interesting results of the survey were:
90% of respondents said their security posture had improved over the last two years, but 86% suffered attacks severe enough to require a meeting of the companies' C-level executives or boards of directors.
67% of companies have started to share information with tech industry colleagues, and 50% started sharing more information with government leaders.
42% of companies have already modified their supply chain security as a result of the SolarWinds attack
Ransomware attacks are driving up the price of cybersecurity premiums, with premiums increasing by 7% on average for small companies and between 10% and 40% for larger companies. Moreover, some researchers now argue that cybersecurity insurance may be contributing to weaker security as companies invest in insurance premiums to protect against ransomware instead of compensating controls.
Zero day attacks hit an all time high, relative to other attacks, with 74% of all threats detected, according to a WatchGuard report. Note - zero day attacks are threats that do not have corresponding signature or anti-virus detections.
Because Cisco provided a patch for CVE-2020-3580 in October, 2020, security researchers deemed it safe to publish a proof of concept exploit code for the underlying vulnerability on Twitter. Needless to say, not everyone patched their devices, though, and reports are being released saying hackers are now actively targeting unpatched Cisco devices.
Other vendors are also being actively targeted, as Zyxel reports that advanced attackers are actively targeting Zyxel VPN and firewalls.
A new House bill has been introduced that will attempt to improve the average cybersecurity awareness for citizens.