Recent trends in Phishing
The ongoing COVID-19 pandemic has made collaboration vital, for which organizations worldwide are using a lot of applications in addition to regular emails. Attackers are targeting these tools used to facilitate the work-from-home setups. They are increasingly using fake login pages for emails, collaboration platforms, and video conferencing applications such as Outlook, Office365, Zoom, WebEx, and OneNote Online pages. Phishing campaigns using WebEx and Zoom almost tripled in March compared to February. In April, these campaigns more than doubled in comparison to March as published in Trend Micro’s Cloud App Security report.
There are new phishing attacks where attackers are now pretending to be:
- Advisories from WHO and other health departments
- Members of income tax departments giving out tax rebates
- Employers or university members updating their policies
- Fake trackers and maps
- Charitable organizations collecting relief fund
User awareness training
What an attacker is exploiting in a phishing attack is a lack of user knowledge, which makes user awareness the most important step in preventing such breaches. The key component of a successful phishing attack is user interaction. A user clicking on a link, opening an attachment, filling out a form, and any such actions. A phishing attack does not forcibly steal information, it makes the user willingly give out information or creates a way for the attacker to access it. Since the compromise is user- initiated, knowing how to recognize a phishing email, and what course of action to take after receiving one, are two things that every user should be made aware of.
Phishing attacks are constantly increasing. In fact, 44% of phishing emails are new or unknown and go undetected by security systems in place, ending up reaching user inboxes. Users, who are usually the last line of defense, now become our first line of defense. This warrants a further need for user awareness training.
Vendors and common features
There are several leading vendors offering cyber awareness training solutions.
The common features found across solution providers are multilingual support, micro learning using short videos, gamification, wallpapers, and posters to reinforce learning, phishing simulation, phishing report button, and graphical reporting capabilities. The content is usually developed using adult learning principles and delivered via an LMS or Learning Management System.
As vendors have many such common features, the differentiators among them are the content library and their update frequency. Some vendors even have their security awareness framework that could be used for deploying successful training campaigns.
Popular training topics include:
- Basics of Information Security
- Web Security
- Social Engineering
- Phishing Solutions
- Mobile and Cloud Computing
- Secure Remote Working
Most of the providers have focused modules on compliance related topics such as GDPR, HIPAA, PCI-DSS, etc., with new content being updated regularly.
There are also training packages available that target more IT savvy users—such as administrators and application developers—who can be made part of mandatory onboarding requirements.
User awareness programs are offered as bundles, to which organizations can subscribe to as the need expands. These start with 5-6 modules as entry-level packages that can be expanded to the entire set comprising 60-180 modules.
The providers offer their learning management systems that have their way of assigning, grouping, and tracking the progress of training. There are also options available to acquire modules per the need and integrate them into the existing learning management systems if organizations have them. These, typically, are SCORM compliant training systems.
The Micro or Nano learning modules are shorter modules, usually of 2 to 5 minutes duration. They synergize well with phishing simulation campaigns, to be used as on-the-spot training when a user fails a phishing simulation. A short video explaining the type of attack the user just failed to detect helps them understand better by relating to the real-life example.
This ‘teachable moment’ created by phishing simulation helps the user retain information better. This creates a feedback loop between the phishing simulations and the training assigned, where the next one is decided based on the result of the previous one. This synergy between phishing simulation and user awareness training helps organizations train users effectively by establishing a continuous cycle of training and testing. It not only helps fill the knowledge gaps of the users but also reinforces what they learned.
Phishing simulations should ideally be run every 90 days for users who pass the previous simulation, and every 45 days for the ones who fail the previous simulation. This helps underperforming users to get more training, eventually bringing them on par with the rest.
To summarize, cyber awareness training programs help reduce phishing attacks by turning users into detective security control. An effective training program should include phishing simulation and awareness training, complementing each other in a continuous cycle.
An increase in user awareness results in the organization’s resiliency to attacks, reducing the attack surface, and making the weakest links the strongest. Organizations need to consider the requirements and the level of the awareness of the user community and start small when beginning a program, expanding the requirements per the need. Subscribing to cloud-based options can help quickly deploy to get started. Leveraging on capabilities of established managed services partners such as HCL will help start such programs rapidly, helping them run continually.