That was the main topic of discussion at TELUS’ and Wombat Security’s most recent webinar featuring 2018’s State of the Phish report. Mike Vamvakaris, Director, Cyber Security Consulting, TELUS Security, and Donald Stewart, Senior Channel Prime, Wombat Security, a division of Proofpoint, educated attendees about end user risk management.
Vamvakaris kicked off the presentation with an overview of security today. While digital transformation is enabling progress in communication and collaboration, artificial intelligence (AI) and Internet of Things (IoT), there are associated risks. And those risks are growing in frequency, number and severity every day.
Interestingly, he pointed to a somewhat confounding stat, which encapsulates the current challenge for most security professionals. Security spending is up. Good thing. But so are breaches. Not so good thing. The strong (and sometimes sole) focus on technology solutions is a lot to blame. People are investing dollars in one part of the security equation, but are overlooking the other elements of a holistic, ecosystem approach – process and people.
Wombat Security focuses squarely on the people portion. The company’s mandate is simple (and is captured in its tagline): Change behaviour. Reduce risk. Wombat Security assesses, trains and gathers intelligence about end user cybersecurity knowledge and behaviour. It then provides software solutions targeted at improving those behaviours and responses to cyber attacks.
The common security denominator
Your network can be a technological fortress. But if your employees aren’t educated and aware, you’re still vulnerable. Stewart presented some pretty startling statistics. For example, 98% of all social engineering-based incidents and breaches include phishing and pretexting. Unsettling? Absolutely.
According to Stewart, phishing is the one the biggest risks threatening a strong and fortified last line of defense. With the pesky prevalence of phishing, Wombat Security studies the threat comprehensively and provides an annual report on the “state of the phish.”
The report provides insight into the tactics that security professionals are using to reduce end user risk. Wombat Security’s researchers’ findings are based on data collected from simulated phishing attacks during a one-year period and surveys with information security professionals and general computer users.
Even with increased training, phishing is still an issue. In fact, 76% of those surveyed experienced a phishing attack in 2017. Stewart also detailed other key findings from the report including:
Types of simulated phishing attacks (consumer, corporate, communication, cloud)
Click rates by industry
Templates that tempt people to click
Technology safeguards being used
User training tools
Stewart’s main message? Awareness! According to Wombat Security’s findings, 95% of organizations are training their employees about phishing, which is great. But they need to expand their scope of training to cover other risks including over-sharing on social media, poor password hygiene and vishing (phone scams).
Progressive, continuous awareness
What can you do to improve end user awareness and promote healthier security behaviours in your organization? It’s vital to fortify your last line of defense with both education and practical protection.
Wombat Security’s approach is cyclical – assess, educate, reinforce and measure. Training must happen frequently throughout the year (many organizations only train on an annual basis). With a cyclical approach, employees learn best practices and how to employ them in a real-life threat situation. Awareness grows progressively and continuously.
TELUS can testify to the approach. Employing Wombat Security’s solution, TELUS was able to increase awareness and threat reporting while reducing its click rate (below the industry standard of 15%).