Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
DROWNING
IN PHISHING
Phishing Simulation ≠ Security Awareness
IT’S JUST A MATTER OF TIME
In today’s business environment, getting phishing emails is a fact of life.
Though cybercrimina...
Why? Because employees keep falling for it.
LIKE PHISH IN A BARREL
The 2016 Verizon Data Breach Investigation Report found...
All of this phishing means all kinds of phishing simulation vendors, promising to solve your phishing problem.
PHISHING IN...
MISSING THE FOREST
The most-touted aspects of these solutions are the reams of data
they provide about employees who have ...
From our perspective,
it’s easier to drown in phishing
data than it is to profit from it.
Data is wonderful—except when it...
THAT TEACHABLE MOMENT
Now, most phishing vendors acknowledge the
learning side of phishing simulation by offering
training...
But there’s no guarantee that a “teachable moment” is also a “learnable moment.”
This is not to say that offering some for...
In their 2014 report Innovative Insight for Anti-Phishing Behavior Management, Gartner researchers write:
“Assess your org...
It’s easy to equate anti-phishing training with security awareness.
Many phishing vendors do this all the time.
If phishin...
We believe
phishing vulnerability
among your employees may be
just the tip of the iceberg, indicating larger
organizationa...
A stuffy nose, headache, and fever can all be treated individually
with various kinds of medications to get relief. But, i...
We think the same concept applies to an
organization whose employees proved
particularly vulnerable to a phishing
simulati...
Susceptibility to phishing can
represent a fundamental
misunderstanding of security
best practices organization-wide.
An e...
At MediaPro, we believe a simulated phishing campaign is
a great way to impact employee awareness about
phishing…but it sh...
A comprehensive security awareness program will
allow you to identify all of your behavioral risks and
includes regular tr...
More than 500 of the world’s most risk-aware organizations have trusted MediaPro
to provide comprehensive, expertly-crafte...
Prochain SlideShare
Chargement dans…5
×

Phishing Simulators Are Not Enough for Security Awareness [MediaPro]

Download this resource directly to understand the elements of a truly comprehensive security awareness program (beyond Phishing): http://bit.ly/MPPhish

--
In today's business environment, getting phishing emails is a fact of life. Though cybercriminals continually seek new and terrifying methods to gain access to your network, phishing remains one of their most popular weapons. In fact, there was a 55% increase in spear-phishing campaigns targeting company employees from 2014 to 2015, according to a recent Symantec report.

All of this Phishing means all kinds of phishing simulation vendors, promising to solve your phishing problems. The problem is that data from phishing simulators distract you from the real mission: to change employee behavior around Phishing.

When your phishing tool's primary use is to identify technical vulnerabilities or to provide pretty bar charts for executives, you're missing out on a real chance to improve your employees' cybersecurity awareness.

  • Soyez le premier à commenter

Phishing Simulators Are Not Enough for Security Awareness [MediaPro]

  1. 1. DROWNING IN PHISHING Phishing Simulation ≠ Security Awareness
  2. 2. IT’S JUST A MATTER OF TIME In today’s business environment, getting phishing emails is a fact of life. Though cybercriminals continually seek new and terrifying methods to gain access to your network, phishing remains one of their most popular weapons. Increase in spear-phishing campaigns targeting employees from 2014 to 2015 55%-2016 Internet Security Threat Report, Symantec
  3. 3. Why? Because employees keep falling for it. LIKE PHISH IN A BARREL The 2016 Verizon Data Breach Investigation Report found that 30% of phishing emails were opened in 2015; up from 23% in 2014. Why would a cybercriminal try to fight through firewalls and other technical safeguards when they could just get the login information they need directly from an unsuspecting user? Researchers also found that USERNAMES AND PASSWORDS made up 91% of the information stolen in phishing attacks.
  4. 4. All of this phishing means all kinds of phishing simulation vendors, promising to solve your phishing problem. PHISHING IN CROWDED WATERS In simple terms, it works like this: they send simulated phishing email messages to employees and provide anti-phishing education for those who take the bait. -Innovative Insight for Anti-Phishing Behavior Management, Gartner IN 2014, PHISHING VENDORS SAW A 20% GROWTH IN REVENUE 17% GROWTH IN CUSTOMERS
  5. 5. MISSING THE FOREST The most-touted aspects of these solutions are the reams of data they provide about employees who have taken the bait: who clicked where, from what device, at what time, on which browser, etc., etc. But focusing too much on the minutia of this data means you miss the forest for the trees.
  6. 6. From our perspective, it’s easier to drown in phishing data than it is to profit from it. Data is wonderful—except when it distracts you from the real mission, which is to change employee behavior around phishing. When your phishing tool’s primary use is to identify technical vulnerabilities or to provide pretty bar charts for executives, you’re missing out on a real chance to improve your employees’ cybersecurity awareness. DROWNING IN DATA
  7. 7. THAT TEACHABLE MOMENT Now, most phishing vendors acknowledge the learning side of phishing simulation by offering training at the point the phishy email is clicked. The goal is to take advantage of the so-called “teachable moment” when an employee slipped up and fell for the phishing bait.
  8. 8. But there’s no guarantee that a “teachable moment” is also a “learnable moment.” This is not to say that offering some form of training at the “spot of the foul” will never work. But, hyper-targeted anti-phishing training alone should not be considered a saving grace. Phishing data shows that most “caught” employees quickly close out of the email and delete it once they realize what happened—effectively voiding that sought-after “teachable moment.” Moreover, a chagrined employee who just learned they fell for a fake phishing attempt is probably not in the best mindset to learn anything. (Think of how you feel if you’re caught by running a red light by a camera!) TEACHABLE ≠ LEARNABLE (NOT ALWAYS, AT LEAST)
  9. 9. In their 2014 report Innovative Insight for Anti-Phishing Behavior Management, Gartner researchers write: “Assess your organizational culture first,” BUT DON’T TAKE OUR WORD FOR IT “Anti-phishing behavior management solutions are not a tool for initiating cultural change.” they continue, “and deploy anti-phishing as part of a comprehensive program of security behavior management and education.”
  10. 10. It’s easy to equate anti-phishing training with security awareness. Many phishing vendors do this all the time. If phishing is the most common way in for cybercriminals, then anti-phishing training should keep you covered, right?
  11. 11. We believe phishing vulnerability among your employees may be just the tip of the iceberg, indicating larger organizational problems. Let’s dig a little deeper with an analogy…
  12. 12. A stuffy nose, headache, and fever can all be treated individually with various kinds of medications to get relief. But, if you only treat the symptoms (painkillers for a headache, for example), you’re not addressing the root of the problem. In fact, treating just the symptoms may mean it takes longer for you to address the actual problem – a viral cold. Most often, taking a more holistic approach to your cold—plenty of water and rest, while your immune system does its job—is the best path toward wellness. PHISHING AS A SYMPTOM
  13. 13. We think the same concept applies to an organization whose employees proved particularly vulnerable to a phishing simulation. That symptom signals a deeper affliction: a lack of cybersecurity awareness. PHISHING AS A SYMPTOM
  14. 14. Susceptibility to phishing can represent a fundamental misunderstanding of security best practices organization-wide. An employee population that falls prey to phishing is a sure sign that security best practices are not widespread. PHISHING AS A SYMPTOM It’s a symptom that calls for a more comprehensive approach. As much data as a simulated phishing campaign will collect, it can’t gather the full picture of your organization’s security awareness level.
  15. 15. At MediaPro, we believe a simulated phishing campaign is a great way to impact employee awareness about phishing…but it should not stand on its own. Since any phishing weakness among your employees is likely a symptom of a larger problem, anti-phishing training alone won’t provide the cure. It’s likely that the same employees who click on phishing emails also have a poor grasp on things like password security, safe mobile computing practices, and more. BEYOND THE PHISH
  16. 16. A comprehensive security awareness program will allow you to identify all of your behavioral risks and includes regular training and reinforcement that seeks to change employee behavior and build a risk-aware culture. Such a culture will help inoculate an organization against myriad cybersecurity threats for years to come. BEYOND THE PHISH
  17. 17. More than 500 of the world’s most risk-aware organizations have trusted MediaPro to provide comprehensive, expertly-crafted, employee awareness programs based on proven adult learning principles. FIND OUT WHY MediaPro offers all the tools and services you need to run a comprehensive awareness program: phishing simulation, knowledge assessments, and an extensive library of varied learning content. NOW WHAT?

    Soyez le premier à commenter

    Identifiez-vous pour voir les commentaires

  • thomrobbins

    Sep. 13, 2016
  • c1zone

    Dec. 2, 2018

Download this resource directly to understand the elements of a truly comprehensive security awareness program (beyond Phishing): http://bit.ly/MPPhish -- In today's business environment, getting phishing emails is a fact of life. Though cybercriminals continually seek new and terrifying methods to gain access to your network, phishing remains one of their most popular weapons. In fact, there was a 55% increase in spear-phishing campaigns targeting company employees from 2014 to 2015, according to a recent Symantec report. All of this Phishing means all kinds of phishing simulation vendors, promising to solve your phishing problems. The problem is that data from phishing simulators distract you from the real mission: to change employee behavior around Phishing. When your phishing tool's primary use is to identify technical vulnerabilities or to provide pretty bar charts for executives, you're missing out on a real chance to improve your employees' cybersecurity awareness.

Vues

Nombre de vues

4 935

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

4 014

Actions

Téléchargements

74

Partages

0

Commentaires

0

Mentions J'aime

2

×