Many network compromises start with phishing—a social engineering attack that arrives via email to dupe corporate workers into divulging passwords or other network application details—and employees continue to be vulnerable to these scams.
In its latest annual Data Breach Investigations Report, for example, Verizon found that more than two-thirds of espionage-related breaches started with a phishing email.
Anti-spam products and services do not catch every phishing attack, so many companies have turned to user education in an attempt to make workers less likely to click on dodgy email messages. If the impact of phishing consists of constant nuisance attacks, rather than a serious breach, such training can pay significant dividends, according to a survey released on Aug. 26 by the Ponemon Institute.
The survey research firm polled 377 information-security and technology practitioners to find that the average company can save nearly $190 per employee, according to the analysis, which was funded by Wombat Security, a security-training firm.
“Every single phishing email that a person falls for ends up being a cost to the organization to go out and clean up the machine,” said Joe Ferrara, CEO of Wombat Security. The cost involves downtime for the employees whose machine is affected as well as additional work for the help desk, Ferrara notes.
On its face, employee security training seems like an obviously good idea. By teaching workers to recognize and avoid potential threats, companies can reduce the number of incidents with which they have to deal and free up security teams to focus on incident response and further hardening of the network. By training workers to recognize attacks, security teams gain the benefits of additional eyes among the workforce.
Yet other security experts have taken a dim view of security training. Whether the chances of a given employee clicking on a link in a phishing email is 10 percent or 1 percent, an attacker can easily, and inexpensively, crank up their attack tactics until they are successful, David Aitel, CEO of security-services firm Immunity, told eWEEK.
Immunity, which conducts penetration tests among other services, is often tasked with using a phishing attack to test the security of a client and to gain a beachhead in its network. In one case, the client had trained its workforce well, which showed strong awareness to phishing scams, but it was not enough, Aitel said.
“These guys are all super-aware, and we had a pretty low hit rate of people giving us their passwords, and they shut us down in an hour,” Aitel said. “Still, it didn’t matter. We only needed the three passwords that we got.”
Essentially, the issue boils down to whether improving a company’s overall security posture can save money and reduce risk.
Security Experts Debate Whether Anti-phishing Training Worth the Cost
Or it might also boil down to if hackers’ ability to turn a single employee’s click on a phishing link into a full-blown compromise means that the defenders need to be right all the time.
If a single employee clicking on the wrong link can lead to a network breach, improving the average security level of the workforce matters little, said Bruce Schneier, CTO for Resilient Systems.
With security education, “it matters if I have to move the average or the end points,” he said. “If I’m trying to get into your network and all it takes is one click, then moving the average does not matter.”
The Ponemon Institute argues that the major costs of phishing incidents are as a productivity drain. The firm’s survey looked at five costs linked to successful phishing attacks. These included the costs of containing malware, of a successful infection, of lost productivity, of containing credential compromises and of a successful compromise of credentials.
The largest cost, lost productivity, accounted for $1.8 million, or 48 percent of the total estimated costs of $3.8 million for a large company, according to the survey-research group.
For the most part, phishing attacks result in compromises or leaked credentials that do not turn into a full-scale network breach. For the average company, 11 percent of malware infections are caused by phishing attacks and respondents estimated that malware attacks will cause a breach in 1.9 percent of cases over 12 months.
These results align with Verizon’s data, which found that 23 percent of recipients open phishing emails and 11 percent click on the attachments. While many phishing scams attempt to collect user’s credentials, they are not about stealing information, but gaining access.
“The user interaction is not about eliciting information, but for attackers to establish persistence on user devices, set up camp and continue their stealthy march inside the network,” Verizon stated in its report.
Reducing the number of successful phishing attacks can mean saving productivity and allowing the security team the ability to focus on incident response and detecting breaches, Wombat’s Ferrara said.
“This is about the ROI [return on investment],” he said. “We should treat security education like any other security investment. To me, this is getting back to a business decision, not a religious argument about stopping 100 percent” of phishing attacks.
For many firms, it is a moot point, as regulations require that a company has a security awareness program.
Yet skeptics such as Aitel argue that relying on humans to make the right decision is not a good security practice. Instead, companies should make sure that their security does not rely on such decisions.
“Two-factor authentication would have kept us out,” Aitel said of his client’s test. “You can train all day, every day, and still not get the value of a simple rollout of two-factor authentication.”