Phishing is still the number one tool used by cybercriminals to gain access to sensitive information. I read in a recent article that there has been a 61% increase rate of phishing attacks in 2022 compared to last year. The increase equates to 225 million attacks!
The worst part is that 76% of those phishing attacks were aimed at credential harvesting, a type of phishing used by cyber criminals to gain usernames or email addresses and passwords en masse. Credential harvesting remains the primary source of security breaches around the world.
Attackers throw about that “big net” to see what they can catch. Once captured, they have the capability to send out thousands of targeted emails using automation. The chance of clicks goes up exponentially.
The Same Old Tactics, But A More Sophisticated Approach
It was stated in the SlashNext State of Phishing Report for 2022 that previous security strategies, including secure email gateways, firewalls, and proxy servers, are no longer stopping threats, especially as bad actors continue to launch these phishing attacks from trusted servers, business apps, and personal messaging apps.
Email phishing attacks continue to increase in complexity. Cyber attackers are now using other methods like sending text messages (or SMiShing). I cannot tell you how many of those I received in anticipation of the midterm elections. Thr SlashNext report also states that there has been a 50% increase in attacks on mobile devices which makes perfect sense since people are on their phones a majority of the time.
Even with the growing popularity of social media apps like Facebook, Instagram, TikTok, and Snapchat, email remains the number one application used around the world. Cybercriminals are aware of this, and they use it to their advantage. In an onslaught of emails, it only takes one email to get through to an employee to make your incident response team have a very bad day.
Creating A Cyber-Aware Workforce On A Tight Budget
Only 12% of an IT budget is spent on security. The majority of those funds go into the defense perimeter and the Secure Operations Centers. The remaining pennies go toward proper security awareness training. What a disservice we are providing to our organizations and employees!
Security professionals agree that security awareness training is critical in order to create a cyber-aware workforce. When any of those security defense perimeters fail, you are relying on your employees to be on their toes, to know how to identify, and report a suspicious email. Essentially, employees are your last line of defense.
The Best Way To Train
Employees should be trained in several ways. First, there should be an overall basic training module that covers all aspects of what to be aware of. Second, there should be ongoing simulated phishing for ALL employees, this must include your executive staff. If a user does click on a simulated phishing campaign, they should be provided with remedial training immediately.
This will help educate your employees on what to look for in every email that they receive. If this is not done on an ongoing basis they will continue to click away, leaving your organization vulnerable to a variety of problems. These problems can range from ransomware to loss of finances through CEO Fraud.
As your security awareness training programs mature, I highly recommend it become an ongoing monthly event. Think about including more frequent, shorter, entertaining, and informative training modules. In addition, you can use the widescreen monitors to flash across security messaging. You want security to be always in the front of their minds.
When you train your staff, your security team will grow exponentially. Every employee is embracing and using the knowledge that you provided to them to keep your organization more secure. They must know that if they see something suspicious, they must report it immediately to minimize the attack surface.