Author: Jason

2024 Phishing by Industry Benchmarking Report Summary

This post will summarize the key findings from KnowBe4’s 2024 Phishing by Industry Benchmarking Report. This report highlights the continuing severity of phishing attacks and underscores the importance of robust security awareness training as a critical defense strategy.

AI generated podcast, if you prefer to listen to this content:

The report uses a metric known as the Phish-prone Percentage (PPP). This measures the percentage of employees within an organization who are susceptible to falling for phishing scams. A high PPP indicates a larger number of employees who are vulnerable to these attacks, thus indicating a greater risk of a potential breach. A low PPP demonstrates that the organization’s workforce has strong security awareness and can effectively identify and thwart phishing attempts.

Key Findings of the Report

  • Untrained employees pose a significant security risk. The report found that, on average, 34.3% of untrained users across various industries and organizational sizes would likely fail a phishing test. This means approximately one-third of employees are prone to interacting with malicious content, potentially jeopardizing their organization’s security.
  • Consistent and comprehensive security awareness training leads to dramatic improvements. The report emphasizes that consistent security awareness training, combined with regular simulated phishing tests, can substantially reduce an organization’s PPP. Organizations that implement such training programs see their average PPP drop to 18.9% within 90 days, and to 4.6% after one year or more of training. This demonstrates a dramatic improvement in employee preparedness against phishing attacks.
  • Specific industries exhibit consistently high-risk levels. For the third consecutive year, several industries in the large organization category (1,000+ employees) had PPPs exceeding 40% even after baseline assessments: Banking (42.3%), Consulting (47%), Energy & Utilities (47.8%), Financial Services (41.6%), Healthcare & Pharmaceuticals (51.4%), Insurance (48.8%), and Retail & Wholesale (42.4%). The Healthcare & Pharmaceuticals industry was among the highest risk industries in all organization sizes. These sectors are often targeted due to their handling of sensitive data and the potential for disruption of critical services.
  • Investing in the human layer of security is crucial. The report stresses that organizations must go beyond mere compliance training and adopt a proactive, comprehensive security awareness strategy that includes:
    • Continuous education.
    • Regular testing and reinforcement.
    • Cultivating a security-conscious culture where employees understand the importance of safeguarding their digital environments both at work and in their personal lives.

Recommendations for a Strong Security Posture

The report concludes with recommendations for security leaders, emphasizing the following key aspects:

  • Defined Mandate: Establish and clearly communicate the purpose and goals of your security awareness program.
  • Policy Alignment: Ensure your program is in line with your organizational security policies.
  • Culture Integration: Actively connect your security awareness initiatives with your overall security culture to strengthen the human layer of defense.
  • Executive Support: Secure full support from executives for your security awareness program.

To successfully implement these recommendations, security and risk management leaders can consider the following actions:

  • Fostering a Security Culture: Cultivate a workplace environment that prioritizes security, where employees are encouraged to be vigilant and report suspicious activity.
  • Strategic Hiring: Recruit individuals with a strong security mindset who can contribute to building a security-conscious culture.
  • “Culture Carrier” Program: Establish a program where designated employees act as security champions, promoting awareness and best practices within their teams.
  • Ongoing Simulated Phishing Tests: Conduct regular phishing simulations to reinforce training and assess employee preparedness.
  • Increased Frequency: Increase the frequency of training and testing to maintain security awareness as a top priority.
  • Leadership Role Modeling: Encourage executives and leaders to demonstrate a commitment to security best practices, setting a positive example for the organization.
  • Clearly Defined Objectives: Outline specific goals for your security awareness program and track progress toward achieving them.
  • Engaging Professionals: Consider partnering with experienced security awareness training providers to leverage their expertise and resources.
  • Effective Measurement: Implement metrics to track the effectiveness of your program, measuring key indicators like PPP reduction and employee engagement.
  • Marketing-Inspired Approach: Adopt a marketing mindset to create engaging and impactful security awareness campaigns that resonate with employees.
  • Employee Motivation: Motivate employees to actively participate in security awareness initiatives by recognizing and rewarding positive security behaviors.

By implementing these steps, organizations can build a strong human firewall and empower their employees to play an active role in protecting their organization against the evolving threat landscape.

Weekly Cybersecurity Wrap-up 11/25/24

Each week I publish interesting articles and ways to improve your understanding of cybersecurity.

Projects

Videos

Articles

Podcasts

SEI Podcasts: The Importance of Diversity in Cybersecurity: Carol Ware

CISO Tradecraft #208 Insider Threat (with Shawanee Delaney)

2024 Insider Threat Report: A Cybersecurity Enthusiast’s Summary

The 2024 Insider Threat Report, produced in collaboration by Cybersecurity Insiders and Gurucul, paints a sobering picture of the evolving landscape of insider threats. Let’s break down some of the key findings and their implications.

Here is an AI generated audio podcast, if you’d prefer to get caught up that way:

The report highlights a disturbing increase in the frequency of insider attacks. While only 17% of organizations reported no insider attacks in 2024, this figure represents a significant decrease from 40% in 2023. This trend is further underscored by the fact that 48% of respondents confirmed that insider attacks have become more frequent in the past year. The financial ramifications of these attacks are substantial, with the average cost of remediation exceeding $1 million for 29% of respondents. To put that in perspective, with organizations reporting 6 or more attacks in the last 12 months, the potential financial damage could easily reach tens of millions of dollars.

The report attributes this surge in attacks to several factors:

  • Complex IT Environments: The shift to hybrid work models, the increasing reliance on cloud services, and the integration of technologies like IoT and AI have expanded the attack surface and made it more difficult to secure.
  • Inadequate Security Measures: Insufficient data protection and inconsistent policies continue to plague many organizations, leaving them vulnerable to exploitation.
  • Lack of Training and Awareness: A significant number of respondents (32%) pointed to a lack of employee training and awareness as a key driver of insider attacks. This highlights the critical role of security awareness programs in mitigating unintentional insider threats.

A key takeaway from the report is that insider threats are often more difficult to detect and prevent than external attacks. This is because insiders, by their very nature, have legitimate access to sensitive systems and data, making their malicious activities harder to distinguish from normal behavior. The report reveals that 37% of respondents find insider attacks more challenging to detect and prevent than external attacks, emphasizing the need for more sophisticated detection and prevention strategies.

Despite the growing awareness of the risks posed by insider threats, many organizations struggle to implement effective mitigation strategies. The report identifies several key obstacles:

  • Technical Challenges: The complexity of data classification, concerns about user productivity impact, and deployment challenges to remote devices are among the technical barriers cited by 39% of respondents.
  • Cost Factors: For 31% of respondents, the cost of implementing advanced security solutions, such as User and Entity Behavior Analytics (UEBA), remains a significant obstacle.
  • Resource Limitations: Many organizations lack the necessary staffing and expertise to effectively manage insider threats, with 27% of respondents citing this as a key barrier.

The report emphasizes the critical importance of unified visibility and control across the entire IT environment – both on-premises and in the cloud – for effective insider threat management. While a significant 93% of respondents recognize this need, only 36% report having a fully integrated solution that delivers this capability. This discrepancy highlights a critical gap in many organizations’ security postures.

Some key recommendations include:

  • Implement Advanced Monitoring Solutions: Investing in tools like UEBA can help identify anomalous user behavior that may indicate malicious intent.
  • Integrate Non-IT Data Sources: Incorporating data from sources like HR and legal departments can provide valuable context for risk assessment and threat detection.
  • Leverage Automated Threat Detection and Response: Automating security processes can significantly enhance efficiency and effectiveness in managing insider threats.
  • Adopt a Zero Trust Framework: Ensuring continuous authentication and authorization of all users and devices can significantly reduce the risk of insider threats.
  • Enhance Employee Training and Awareness: Comprehensive training programs can equip employees to identify and report suspicious activity and promote a security-conscious culture.

The 2024 Insider Threat Report serves as a stark reminder that the threat from within is real and growing. By understanding the evolving nature of insider threats, recognizing the challenges in detection and prevention, and embracing the best practices outlined in the report.

Former Verizon Employee Sentenced to Prison for Espionage

Ping Li, a 59-year-old former Verizon employee, was recently sentenced to four years in prison for conspiring to act as an agent of China. Li, who immigrated to the U.S. from China and became a citizen, pleaded guilty to the charges earlier this year. His espionage activities date back to at least 2012.

When the FBI arrested Li in July, he initially tried to downplay his relationship with the MSS (Ministry of State Security, the intelligence and security agency for China) agent, claiming he was merely seeking investment advice. However, when confronted with incriminating emails, he confessed to conducting research for the Chinese government and sharing confidential cybersecurity materials from his employer.

Espionage Activities:

  • Li shared sensitive information with MSS agents about:
    • U.S. government electronic surveillance capabilities.
    • Activities of Verizon branches in China.
    • Cybersecurity training materials from another employer.
  • Li also provided the MSS with names and identifying details of Falun Gong (also known as Falun Dafa, a religious group that is banned in China) members residing in the U.S.

Li’s case highlights China’s efforts to infiltrate major telecom companies and exploit insiders for intelligence gathering. His actions provided the Chinese government with valuable insights into corporate operations and the activities of political opponents. While Li’s sentencing agreement doesn’t explicitly link him to the Salt Typhoon hack, his case underscores the vulnerability of telecom companies to such infiltration. This hack, attributed to the MSS-linked group Salt Typhoon, targeted major telecom giants, including Verizon.

  • Li worked for Verizon as a software engineer for at least 20 years before moving to Infosys, an Indian IT consulting firm.
  • He began working with MSS agents as early as 2012.
  • He frequently traveled to China to meet with his former classmate, an MSS agent.
  • Li also used online accounts to communicate and share information with MSS agents.

Li was sentenced to four years in prison for his crimes. His sentencing comes amidst heightened concerns about Chinese cyberespionage, particularly in light of the recent Salt Typhoon hack. This hack potentially compromised the data of high-profile individuals, including politicians Donald Trump and Kamala Harris. It’s important to note that the sources do not explicitly connect Li to the Salt Typhoon operation.

The Infosec Exodus: Why Cybersecurity Professionals are Choosing Bluesky

In the ever-evolving landscape of social media platforms, the cybersecurity community has found itself at a crossroads. The once-vibrant Twitter (now X) ecosystem has been gradually eroding, pushing information security professionals to seek new digital gathering spaces. Enter Bluesky – a decentralized social network that’s rapidly becoming the new home for infosec experts, researchers, and enthusiasts.

The mass exodus from Twitter isn’t just about platform features or leadership changes. For the cybersecurity community, it’s fundamentally about finding a space that values open dialogue, technical depth, and professional networking. Bluesky’s decentralized architecture and commitment to user control have struck a chord with a community that lives and breathes technological autonomy.

What Makes Bluesky Different?

Unlike traditional social media platforms, Bluesky offers several key features that appeal to cybersecurity professionals:

  1. Decentralized Protocol: The AT Protocol (Authenticated Transfer Protocol) provides a level of technological transparency that resonates with infosec experts. It’s not just a platform; it’s a potential blueprint for more secure, user-controlled social networking.
  2. Community Discovery: Bluesky’s innovative “starter packs” have been a game-changer for professionals looking to quickly find their tribe. These curated lists allow users to immediately connect with relevant communities, including specialized infosec groups, threat researchers, and security practitioners.
  3. Enhanced Privacy Controls: In a world where digital privacy is paramount, Bluesky’s approach to user data and community moderation speaks directly to the core values of cybersecurity professionals.

What’s particularly interesting is how quickly and organically the cybersecurity community has adapted to Bluesky. From threat intelligence sharing to professional networking, the platform has become more than just a social media alternative – it’s become a virtual conference hall, a research sharing platform, and a global infosec meetup.

Starter Packs: The Community Accelerator

Bluesky’s starter packs deserve special mention. These curated lists allow new users to immediately find and connect with relevant professionals. This means:

  • Instant access to threat researchers
  • Quick connection with vulnerability researchers
  • Networking opportunities with cybersecurity practitioners across various specialties
  • Targeted content discovery based on specific security domains

This is the main differentiator with Mastodon, which didn’t have an easy way to find “your people” on the service. You can search all starter packs in their directory and here are the infosec specific ones.

Looking Forward

While no platform is perfect, Bluesky represents a promising alternative for a community that values technical integrity, open dialogue, and professional networking. As more cybersecurity professionals make the switch, we’re witnessing the potential birth of a more decentralized, user-controlled social media landscape.

The migration isn’t just about leaving an old platform – it’s about building a new digital infrastructure that reflects the values of technological autonomy and professional collaboration.

Disclaimer: The views expressed are personal observations based on community trends and should not be considered an official endorsement of any platform. AKA This post is not sponsored.