U.S. College Lowers Successful Phishing Attacks by 90%
A public college in the Northeastern U.S. found itself at a cybersecurity crossroads. Founded in the 1800s, the liberal arts and sciences school has approximately 7,500 students and 1,400 faculty and staff. In the past, the school had sent occasional emails to warn the population about bogus links, scam emails or telltale signs of spam, but there was no online or in-person training dedicated to raising awareness about phishing. As the scale and sophistication of phishing attacks increased, administrators recognized that the college’s resources were vulnerable.
The situation came to a head when a cybercriminal fabricated an email that appeared to originate from the new dean’s email address.
“We recognized that a significant hole in our security was our people, in that they were not very savvy with regard to these issues,” said the school’s information security officer.
The college began searching for a security awareness training program that would help its faculty and staff recognize and respond to cybersecurity threats. Administrators consulted with a number of vendors and quickly learned that many companies delivered their training via more basic tools, such as slide decks and short videos, followed by quizzes at the end of each session. But the college wanted a system that was more like the cooperative education its own students receive. The school was searching for a solution that would give users interactive training and hands-on experience with simulated phishing attacks.
This quest for a better solution led the administrators to Proofpoint’s Security Education Platform. The SaaS-based learning management system (LMS) resonated with the college because of its emphasis on both information and education. And because Proofpoint’s training methodology focuses on raising awareness and changing behaviors, it gives organizations the best opportunity for a long-term defense against cyber threats.
Assess, Educate, Measure, Repeat
The Proofpoint Anti-Phishing Training Suite includes simulated phishing attacks (which allow organizations to assess employees using mock phishing emails) as well as multiple interactive anti-phishing training modules.
Security officers began by sending employees a simulated phishing message; results and analysis of clickthrough rates let the officers gauge the organization’s level of vulnerability. Administrators then automatically or manually assigned anti-phishing training modules that employees completed at their convenience.
In each module, users learned through engaging teaching methods, realistic examples and interactive practice. “The interactive nature of the [Proofpoint] training, as opposed to a simple quiz at the end, made everything else we looked at seem poor in comparison,” explained the information security officer.
Another advantage with Proofpoint’s platform is that organizations can measure results during and after every phase, enabling security officers to identify and respond to weaknesses. The flexibility of the Proofpoint LMS allows assessment and training cycles to be repeated at targeted intervals, increasing the chances of long-term risk reduction.
The college initially launched the Anti-Phishing Training Suite to 300 of its faculty and administrators. Within a year, it had rolled out the product to another 300 staff members. Rollouts began with an announcement to personnel, alerting them to a forthcoming email about training modules they would be asked to complete. Once training began, administrators would send out mock phishing emails every few weeks to see if the training was helping users to avoid the scams.
According to the college’s information security officer, a number of individuals thought they were immune to phishing threats; they assumed they would never be targeted or that they would know what was happening and not fall for such an attack. “When we phish our users with this product and they fall for it, it breaks that part of their psyche that says, ‘I am not going to fall for these things and I am not being targeted.’ It makes them more receptive to training,” he said.
According to the college’s information security officer, the effectiveness of the Anti-Phishing Training Suite “has been fantastic.” Previously, the college saw its users fall for five to six criminal phishing attacks per month. In the six months following training, the number of successful attacks decreased to three. This represents a 90% reduction in successful phishing attacks from the wild.
The school’s help desk has also reported a significant drop in spyware and viruses on campus computers as well as considerably fewer support requests. The school has seen more users reporting actual phishing emails as well as quicker response times and greater awareness of phishing issues.
“The response to the training has been positive; our administration has been behind us 100 percent,” said the information security officer. “In addition to our users being significantly less vulnerable to these scams, the [Proofpoint] solution is letting the IT staff sleep at night again. We take pride in the fact that our students’, our alumni’s, and our faculty’s data is now more protected due to what we are doing with [Proofpoint].”
For more information, visit proofpoint.com/security-awareness