Network and endpoint security vendor Sophos has expanded its Sophos Phish Threat product. Phish Threat is a phishing attack simulator and training solution. The expansion will see it available in Europe and Asia. This latest version also adds a number of new dashboards and analytics to track how the organisation and individuals behave.
Phishing is one of the most common and successful ways for cybercriminals and hackers to infect machines. Sophos claims that over 77% of malware is installed through this route. Emails are sent to users, often with suspicious attachments or web links. When a user opens the attachment or clicks on the web link, malware is installed on their machine. Training users to spot suspicious emails is essential for any organisation that wants to tighten cybersecurity.
According to Bill Lucchini, senior vice president and general manager for the Sophos Messaging Security Group: “Human behavior is a critical element of cyber security yet 62 percent of companies don’t train employees to recognize phishing attempts. SophosLabs sees malware on up to 77 percent of blocked mail.
“Creating a culture of security and data protection awareness has risen in priority with the greater risk of email born ransomware and the planned introduction of new legislation such as GDPR. Employees have to be responsible for the way they handle data and how to spot a phishing attack should be part of their training. Phish Threat builds greater employee awareness by creating suspicious emails using known techniques, successful spoofs, and contemporary examples. In fact, after just four Phish Threat simulation training emails, the average organization reports a 31 percent reduction in employee susceptibility.
What does the Phish Threat product do?
The Phish Threat platform allows IT security teams to create phishing attack simulations. The platform gives IT security teams access to a large library of phishing attacks captured by Sophos. As it is updated regularly it also includes emails that users are likely to already see in their inbox. Using this data an IT security team can build their own phishing attacks to test user awareness.
This is all about employee awareness. Spotting the signs of a phishing attack is something every user needs to be aware of. Phishing is not just about the badly worded attempts to get access to the login credentials to a user’s PayPal, network or bank account or even to install malware. Business Email Compromise, otherwise known as CEO fraud is also a phishing attack.
The Phish Threat platform has over 30 different interactive training modules for users. It walks them through scenarios and shows them how to spot the danger signs of an attack. When combined with an IT teams own phishing attacks, it helps spot users most likely to click on dodgy emails. They can then be helped to understand what was wrong and the risks.
What does this mean?
User education is probably one of the most important steps in improving resilience to malicious attacks. A lot of companies talk about improving this as part of their cybersecurity planning however, few follow through effectively. For those that do, there are significant benefits in terms of fewer successful attacks. As each attack costs an organisation money, often tens of thousands of pounds, user education is highly cost effective.
Surprisingly, Sophos doesn’t talk a lot about gamification as part of its user education tools. Gamification is used by a number of organisations to help users understand cyber threats. Norwegian company Storebrand introduced gamification back in 2015. It ran a series of attacks against its own users to help them understand phishing. It combined this with prizes for departments based on security effectiveness over a period of time.
What Storebrand discovered was that users quickly started to peer-educate. If a user spotted a phishing email they would check with their departmental peers and then report to security. It meant that alerts moved around the company faster than IT could propagate them. It also ensured that a lot of real phishing emails were picked up by users and the company’s cyber defence improved significantly.
Sophos claims that after just four simulation phishing emails, companies see a significant improvement in detection and avoidance rates. This is good news, with a caveat. Like many user education programmes, it must be part of a long-term approach. The Phish Threat platform makes it easy for IT security teams to schedule regular tests to keep the risk awareness high.