Phishing: Training your Employees Can Save you Millions

Over the past few years, seems like we’ve seen a major data security breach in the headlines every few weeks. And every time it happens, I hear folks ask what they can do to help protect their company from such cyberattacks. Well there are a number of things that can and should be done to protect today’s enterprises, but one thing in particular may have the best ROI out there: training employees to recognize and avoid phishing attacks.

Phishing Forbes article
Forbes recent article on phishing attacks included a list of the top 10 recent alerts on such attacks as reported by Fraudwatch International.

Phishing, for the uninitiated, is an “e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients…messages appear to come from well known and trustworthy Web sites [such as] PayPal, eBay, MSN, Yahoo, BestBuy, and America Online.” (Source: TechTarget). During just the second quarter of 2015, the anti-phishing system of Kaspersky Labs was triggered more than 30 million times, “and that was only counting those triggered by computers running that company’s security products.” (Source: Forbes, “Top 10 New Phishing Scams: How You And Your Company Can Thwart Them,” October 7, 2015 by Lisa Brownlee). To make matters worse, over time phishing attacks have gotten more sophisticated and authentic-looking, so much so that nearly a quarter (23 percent) of recipients of phishing emails open them. More than 1 in 10 folks (11 percent) open the mails and click on the malicious attachments. (Source: Verizon Data Breach Investigations Report 2015).

A recent report from the Ponemon Institute further reveals the dangers and costs of phishing to enterprise. According to the report:

  • the average, annual cost to contain a malicious software infection from phishing is $1.9 million (Source: The Security Ledger, “The Cost of Phishing? More than you think!,” Aug. 26, 2015)
  • the average cost to businesses to recover from a successful phishing attack is $300,000 (Source: Id.)
  • the costs of phishing attacks (including containing the malware, remediating uncontained malware, productivity losses, containing credential compromises and remediating uncontained credential compromises) adds up to $3.77 million per year for the average organization (Source: TechTarget, “Report: phishing training could cut damage costs by $1.8M,” Aug. 27, 2015)
  • the most costly part of a phishing attack is loss of productivity at 48% of the total cost (Source: Id.); and,
  • the average productivity loss due to phishing is 4.16 hours per employee, per year (thats more than 400 hours of work – or 10 weeks – lost per year for an organization with just 100 employees). (Source: Id.)
phishing techtarget
“Joe Ferrara, president and CEO of Wombat Security Technologies, said organizations should be building a security culture where all employees are encouraged to make secure behaviors a priority.”

The good news, according to Ponemon, is there is something companies can do to protect against phishing and minimize the risks associated with such attacks. “Ponemon studied six companies, which had implemented phishing training programs for employees, and found that the long-term average net improvement per organization was 47.75%. Assuming this average improvement, organizations could save up to $1.8 million on phishing costs, the report concludes.” (Source: TechTarget, Report: phishing training could cut damage costs by $1.8M, Aug. 27, 2015).

Companies and their IT departments often focus on technology solutions including firewalls, anti-spyware and anti-virus software when it comes to defending against cyberattacks, including phishing. Those solutions are important, but when designing and implementing a comprehensive company infosec defense program, don’t forget your employees and the good they can do. Leaders who train them well, and give them the knowledge and tools they need to resist these phishing attacks will reap the rewards and better resist those attacks even as they persist and grow in numbers and sophistication.

The Target Data Breach: a Study in Failed Cybersecurity Basics

On December 18, 2013, data and security blogger Brian Krebs broke the story that one of the largest retailers in the world, the Target Corporation (“Target”), had suffered a significant data breach. Initially the public was told the breach affected upwards of 40 million customers, but within a month the story had evolved: it was revealed that in fact more than 70 million customers had information stolen, including names, emails and phone numbers. (Source: TechCrunch Magazine, “Target’s Data Breach Gets Worse: 70 Million Customers Had Info Stolen, Including Names, Emails And Phones,” by Sarah Perez, January 10, 2014).

Target Security Basics
Verizon consultant findings demonstrated that without “mundane security best practices,” even the best new security platforms can’t defend against breaches.

By the end of the following year, Target had incurred nearly a quarter of a billion ($252 million) in costs arising from the data breach, as well as resulting significant damage to the company’s reputation. (Source: “Target Breach Price Tag: $252 Million and Counting,” Privacy and Security Matters blog post by Kevin M. McGinty, February 26th, 2015).

Since that time, a number of folks have looked at the Target breach trying to understand what went wrong, including Verizon consultants that the company brought in for a post-mortem. According to an article published last week in ComputerWorld (citing Kreb’s, who published details of the Verizon report on his blog KrebsOnSecurity), “Verizon consultants [ ] came back with results that point to one overriding – if not dramatic – lesson: be sure to implement basic security best practices.” (emphasis added). (Source: ComputerWorld Magazine, “Report: Target failed on security basics,” by Tim Greene, October 1, 2015.)

To follow are two of the more interesting “basic” cybersecurity fails the report identified. For a review of the complete list, take a look at the full ComputerWorld article and Kreb’s report found at http://tinyurl.com/nv9kd63.

  • “Weak passwords: From the post: “Within one week, the security consultants reported that they were able to crack [86 percent of Target’s passwords] that allowed access to various internal networks, including; target.com, corp.target.com; email.target.com; stores.target.com; hq.target.com; labs.target.com; and olk.target.com.” The post says that Verizon consultants also cracked 12 (34%) of 35 admin domain passwords.”
    target hit by breach
    December 19, 2013 article in the Wall Street Journal reporting on the Target breach and “a brazen breach of [the] major retailer’s information security.”
  • “Failure to segment networks: From the post: “‘[N]o controls limiting their access to any system, including devices within stores such as point of sale (POS) registers and servers.’ … In one instance, they were able to communicate directly with cash registers in checkout lanes after compromising a deli meat scale located in a different store.

The Target breach, like so many other high profile compromises, presents some important lessons about information security and data breach prevention, the most profound of which is that cybersecurity has to begin with the basics. There are complicated layers and technical issues involved in breaches, to be sure, but for organizations looking to sure up their cyber-defenses, sometimes the best place to start is the “A B C’s,” getting the “easy stuff” right to protect the company and it’s customers from the attacks that will most surely come.