SecureWorld Webinar Offers Preview of Wombat’s 2017 State of the Phish Report

On Wednesday, January 11, Wombat CTO Trevor Hawthorn participated in SecureWorld’s “State of the Phish™ 2017 – A 360-Degree View” webinar and gave a preview of our forthcoming 2017 State of the Phish Report. He was joined by fellow presenters Jake Bernstein, an attorney with Newman Du Wors, and Mitch Parker, Indiana University Health’s Executive Director of Information Security and Compliance.

The Legalities of Phishing

Bernstein kicked off the presentation by sharing his knowledge of the legal side of the phishing threat.  A former Washington State Assistant Attorney General, Bernstein now represents companies that are facing investigations and actions brought by federal and state regulatory agencies. He pointed out to attendees that failing to educate employees how to identify and avoid phishing attacks can actually result in legal liability.

He also discussed portions of Section 5 of the Federal Trade Commission (FTC) Act, noting that a failure to implement security training policies is considered to be an “unfair practice” under U.S. law. Bernstein said he ultimately expects the FTC to consider it unreasonable for all but the smallest organizations to forego dedicated phishing training.

Collaboration and Communication

Parker presented the second segment of the webinar, focusing on what he referred to as “a view from the trenches.” A former CISO with Temple Health, Parker has had significant experience in researching network-based threats as well as compliance, data privacy, and security requirements. He stressed the importance of staying informed of current threats, advising attendees to collaborate with regional and industry peers and seek opportunities to share intelligence. He strongly recommends utilizing resources like Industry Information Sharing and Analysis Centers (ISACs) and anti-phishing vendors (he singled out Wombat as being “one of the best”), as well as InfraGard and other law enforcement–based information sources.

Parker also offered several other important pieces of advice, including the following:  

• Regularly communicate policies and procedures to end users and corporate stakeholders, including PR and comms teams.
• Immediately notify all users if a new attack has been identified.
• Add disclaimers to all externally originating email and stress to users that no external email should ask them to reset or change their internal accounts.
• Teach users how to check the validity of a link.
• Give employees a quick and easy way to report issues.
• Keep leadership teams informed and involved.
• Make simulated phishing a part of a robust program

Missed the live webinar feed? Access the on-demand replay on our website.
(You can earn CPE credit hours for viewing.) 

Preview of the 2017 State of the Phish Report

Hawthorn gave attendees an advanced look at some of the findings from our third annual State of the Phish Report, which includes data analyzed from

• millions of simulated phishing attacks sent over 12 months;
• more than 500 survey responses to from our database of infosec professionals; and
• more than 2,000 answers from end users in the U.S .and UK, who were surveyed about their phishing knowledge and behaviors.

Hawthorn noted that the Wombat data indicates that simulated phishing and education activities are working; as programs mature, click rates show that anti-phishing training delivers measurable improvements over time. He also said that surveyed infosec professionals reported that phishing attacks appear to be tapering off some — but he cautioned that although awareness is improving, “Risky behaviors still exist.”

He also shared some key results from the end-user survey in the U.S. and the UK, which was managed by an independent third party:

• The majority of people know what phishing is in general terms, though users in the UK exhibited a higher awareness than those in the U.S. (72% vs. 65%).
• Less than half of end users were aware of what ransomware is (U.S.: 34%; UK: 38%).
• UK end users exhibit better corporate email hygiene than those in the U.S. Only 31% of UK respondents admitted to checking their personal email on work devices (compared to 50% in the U.S.), and just 29% of UK users said they check corporate email on their personal mobile devices (vs. 49% of U.S. users).

Hawthorn also shared some results from Wombat’s survey of infosec professionals, the current state of the ransomware threat, and a look at the kinds of phishing templates and topics that are being used most often (and the click rates for these types of simulated attacks).

The Red Thread: Education Is Critical to Long-Term Risk Reduction

All three presenters discussed the important role cybersecurity awareness and training programs play in combatting the phishing threat. Bernstein said, “Phishing defense is really a personnel management issue, not purely a technological trick. By far the best defense is training your people to recognize [phishing] and then practicing. You need to conduct training, and then practice it.”

Parker reinforced that by saying, “Phishing emails are starting to look really good. And there will always be malicious actors seeking to impersonate real people to get info out of your team members. You need to educate your staff how to recognize when they are being phished.”

Hawthorn spoke about the significant change he’s seen in the industry over time. In the 1990s, the focus was on networks, he said, and in the 2000s it was “all about application security and then it became about endpoint security.” But he sees much more importance placed on the end user now, saying, “I think we’re starting to get to the point where organizations are viewing their individual users as sources of risk, based on their behaviors and their access rights.” The attitudes related to security awareness training programs have shifted significantly, Hawthorn said, and organizations are starting to see the value in these activities.