Part 3 of a 5-part series.
In part 1 and part 2, we discussed the Uncomfortable Truths that no matter how good your perimeter controls, malicious emails still reach the inbox, and that security teams cannot defend against attacks they cannot see. While some still hold next-gen technologies in almost exalted status, many organizations are beginning to accept that phishing threats still reach user inboxes and that these users will be tempted to click.
To address this risk, significant investments are made in awareness activities, including phishing simulation. Commonly, the primary goal or success metric of these activities is a reduction in susceptibility, or click rate. However, before we commit to a low click-rate as an indicator of improved security posture, and thus an ability to better defend against phishing threats, let’s consider…
Uncomfortable Truth #3 – The best security awareness program in the world will NEVER deliver a zero click rate.
As the pioneers of phishing simulation used to educate employees, we at Cofense™ know quite a bit about it. Effective phishing simulation (i.e. a phishing simulation program that actually conditions the desired behavior in a REAL attack situation) is more than just sending a few spoofed emails to users to see who clicks and who doesn’t.
While lower overall susceptibility, or click rate, is a desirable benefit, it should not be the primary objective. When reviewing data based on >2000 enterprise customers using the Cofense PhishMeTM phishing simulation platform over the last few years, we’ve seen average susceptibility flatten at about 11.5%. Here’s how the math works out:
Imagine a phishing attack that targets 1000 employees in the same organization (attacks like this are common). With an average susceptibility rate of 11.5%, this attack could easily net the threat actor 115 sets of credentials, or 115 endpoints compromised with malware. Even an industry-leading susceptibility rate of 3% in simulations results in a compromise of 30 individuals – more than enough to cause significant disruption and damage, such as Man in The Inbox attacks directed at business partners and customers. And if security teams are not aware of the attack, how can they stop it?
When investing time, effort and resources in phishing simulation activities, it’s critical to remember that REAL phish are the REAL problem. While the CISO, security awareness, and security operations stakeholders might have differing day to day responsibilities, they all have the overarching responsibility to improve organizational security posture. By breaking down silos and working more closely together, they can challenge current thinking and ask, “How can we ensure our phishing simulation activities are truly representative of the actual threats we receive?”
When you approach your program this way, you can encourage the right user behavior. Click rate alone becomes less important, and you begin to wrestle back an element of control in how users respond to real attacks.
In part 4, we’ll take a look at perhaps the most contentious uncomfortable truth of all: Users are NOT the Problem. We will attempt to bust the myth that the problem exists between the keyboard and chair.
Until then, learn more about anti-phishing trends in our State of Phishing Defense 2018 report.