Attendees to the Black Hat 2017 security conference said their No. 1 security concern and most time-consuming activity was phishing and social engineering attacks. That’s no surprise with the increase in Business Email Compromise (BEC) attacks and with most ransomware being delivered by email.
But Black Hat Attendees also said the weakest link in their security strategy was end users who are susceptible to phishing and social engineering.
[source: https://www.blackhat.com/docs/us-17/2017-Black-Hat-Attendee-Survey.pdf]
That’s why we’ve introduced a new free service, Phish Insight. With it, businesses of all sizes will finally be able to generate exactly the information they need to craft more effective security awareness and training programs. Best of all, it is completely free!
The top threat vector
Email is still the biggest threat vector impacting organizations today. Trend Micro’s Smart Protection Network blocked more than 66.4 billion threats in 2017 and over 85 percent of these were emails containing malicious content. Phishing is among the most common tactics used by cybercriminals. Employing social engineering tactics, they typically aim to trick the user into clicking on a malicious link or opening a malware-laden attachment. This in turn could lead to a ransomware download or even be the first stage in a more covert info-stealing operation designed to lift customer data or highly sensitive intellectual property.
In 2017, 94 percent of all ransomware blocked by Trend Micro was distributed via email. What’s more, the latest stats from Verizon claim that phishing represented 93 percent of all data breaches recorded in 2017. BEC is another rising threat to the organization which relies on tricking the end user, this time into making corporate wire transfers to the hacker, who is impersonating the CEO or other senior executives. Trend Micro predicts such scams will lead to cumulative losses in excess of $9 billion this year.
On the frontline
As social engineering and phishing tactics play an ever greater role in cyber-attacks, the stakes will only increase. The share price of one aerospace company is said to have fallen 38 percent after it was hit by a BEC attack which resulted in losses of over €50m ($62m). So what’s the answer? Clearly we need to get better at strengthening our weakest link in the cybersecurity chain: our employees.
Unfortunately, unlike technology, staff can’t be patched. But with the right kind of education programs they can be taught how to spot email scams. According to Verizon, 4 percent of targets in any given phishing campaign will click on it. That may not sound like much. But it only takes one misplaced click to potentially land your organization in trouble.
Introducing Phish Insight
We know that awareness and education programs are an important complement to cybersecurity tools and technologies. But how do you go about crafting an effective program? This is where insight into user behavior becomes crucial.
Phish Insight allows you to quickly and easily generate that insight — completely free of charge. Organizations of all sizes can get started: all they need is one administrator and a few minutes to create a phishing campaign. They can select recipients choose a template according to behavior or topic for phishing, and even customize the phishing exercise by subject, graphics, language and so on. Admins can also set the duration of the awareness “campaign.”
Once the campaign is underway, insight will be fed back via detailed stats in the Monitoring Center. IT Teams can see who has been caught at an employee level and can also identify if certain departments or regions are more at risk than others. It’s this information that they can then use to improve training programs. How they do this is up to the customer, but next steps could include issuing an automatic email alert if they are successfully phished, and/or routing them to online training on phishing awareness. The premium version is free upon request and also includes an Outlook plugin which adds a button for users to alert their security team of suspicious emails.
“We count on Trend Micro as a security partner, with that comes the expectation that they will deliver the latest methods to detect, assess and react to threats,” said Niall O’Beaglaoi Business Development Manager with Smarttech, “Their newest tool, Phish Insight, has provided invaluable information on how users perceive and interact with phishing emails.”
For 30 years Trend Micro has been working to make the world safer to exchange digital information. We’re making this service available free of charge because there’s a real opportunity here to radically improve baseline security for countless organizations. Humans are creatures of habit, and If you can persuade them to adopt good practices then you’ll be taking a massive step on the road to a more proactive cybersecurity posture. That all begins with better insight: with Phish Insight.
