Time and time again we hear from security experts who say that the main threat to any organization lies with its end users. In fact, according to Forrester Research, the majority of security breaches (some estimates are as high as 85 percent) involve internal employees.
Aside from obvious threats from disgruntled workers who may try to abscond with company secrets, an even more frustrating threat is that which comes from the end user who means no intentional harm but who is just clueless.
Some days you feel like your warnings about password security and phishing are a waste of breath. You wonder what chance your end users will have against the newest form of security risk, the spear phishing scam, regular phishing’s more targeted cousin. Spear phishing campaigns are often not caught by anti-spam or phishing filters.
So how vulnerable are companies to spear phishing attacks? A recent report by iDefense Labs estimates that there have been 66 distinct spear phishing attacks between February 2007 and June 2008, with the rate of attacks continuing to accelerate. The report goes on to say that spear phishing groups have claimed more than 15,000 corporate victims in 15 months, with victim losses exceeding $100,000 in some cases. Victims include Fortune 500 companies, financial institutions, government agencies, and legal firms.
To illustrate and help curb risky corporate end-user behavior, the information security services firm Intrepidus Group has developed an application called PhishMe. The app automates the execution of mock phishing exercises, provides clear and accurate reporting on user behavior, and offers targeted end-user training.
Here’s an example of how it works. William Pelgrin, New York’s chief information security officer, contracted with Intrepidus. In the experiment, Pelgrin and his team sent mock phishing e-mails to nearly 10,000 New York state employees. The messages appeared to be official notices asking them to click on Web links and provide passwords and other confidential information about themselves.
With the first run of the e-mail, 75 percent of employees opened the e-mail, 17 percent followed the link, and 15 percent entered data. Pelgrin and his team let users who had proven vulnerable know they’d been scammed and then sent another mock spear phishing e-mail. With the second run, only 8 percent even opened the e-mail.
It seems like a common sense exercise, like having someone burn his hand to learn the stove is hot. But with apps like PhishMe, at least companies aren’t throwing out real data at the cost of that lesson.
Rohyt Belani, CEO of Intrepidus Group, says, “Spear Phishing exploits human vulnerability. Thus our service focuses on the human element. We use techniques recommended by reputed bodies like SANS, and those found to be most effective by researchers at Carnegie Mellon University to train users in recognizing and thwarting targeted phishing attacks.”
You can view a demo of PhishMe or sign up for a trial account by going to http://phishme.com/.