According to the Verizon 2015 Data Breach Investigations Report “phishing” is still a major source of data breaches. They found that 23% of recipients of phishing emails were opening them and 11% were clicking on the links in the email. Fifty percent of these people were opening and clicking within one hour of having receiving the email. Once clicked an attack is made within one minute and 22 seconds. Therefore, an employee letting the breachers in the door is a big problem. How do you solve this problem? There are two methods.
The first solution is to have a robust email screening tool. Your IT system has to be very good at screening out emails that are potentially phishing attempts. Never allowing an employee to read or click a link is certainly effective in preventing breaches.
The second solution is to have a second line of defense and that is employee education. The report says that an employee education program combined with an awareness and reporting program can reduce breaches to less than 5%. The report said that creating a network of human sensors is more effective at detecting phishing attacks than almost any technology.
Training and awareness
Training employees on what to watch for and how to respond to suspected phishing attacks is important. My guess is that seldom is such training included in either an orientation or onboarding program. It should be. It should also be reinforced on an annual basis, much like sexual harassment training refresher courses. Make your employees an effective line of defense.
On security expert once told me that one of the best ways to breach a business was to put malware on a thumb drive and drop it in the company parking lot. Most employees will have a tendency to think a fellow employee lost it and will go back to their desk and stick it into their computer to see who the owner is…. Bam… breach. Make sure in your awareness program you cover more than just phishing.
The report also found that many breaches are intentionally conducted by employees. That needs to be an additional part of your awareness program, but that is a story for another day. If you are interested in reading the report it can be found HERE