Tag: cybersecurity

2024 Phishing by Industry Benchmarking Report Summary

This post will summarize the key findings from KnowBe4’s 2024 Phishing by Industry Benchmarking Report. This report highlights the continuing severity of phishing attacks and underscores the importance of robust security awareness training as a critical defense strategy.

AI generated podcast, if you prefer to listen to this content:

The report uses a metric known as the Phish-prone Percentage (PPP). This measures the percentage of employees within an organization who are susceptible to falling for phishing scams. A high PPP indicates a larger number of employees who are vulnerable to these attacks, thus indicating a greater risk of a potential breach. A low PPP demonstrates that the organization’s workforce has strong security awareness and can effectively identify and thwart phishing attempts.

Key Findings of the Report

  • Untrained employees pose a significant security risk. The report found that, on average, 34.3% of untrained users across various industries and organizational sizes would likely fail a phishing test. This means approximately one-third of employees are prone to interacting with malicious content, potentially jeopardizing their organization’s security.
  • Consistent and comprehensive security awareness training leads to dramatic improvements. The report emphasizes that consistent security awareness training, combined with regular simulated phishing tests, can substantially reduce an organization’s PPP. Organizations that implement such training programs see their average PPP drop to 18.9% within 90 days, and to 4.6% after one year or more of training. This demonstrates a dramatic improvement in employee preparedness against phishing attacks.
  • Specific industries exhibit consistently high-risk levels. For the third consecutive year, several industries in the large organization category (1,000+ employees) had PPPs exceeding 40% even after baseline assessments: Banking (42.3%), Consulting (47%), Energy & Utilities (47.8%), Financial Services (41.6%), Healthcare & Pharmaceuticals (51.4%), Insurance (48.8%), and Retail & Wholesale (42.4%). The Healthcare & Pharmaceuticals industry was among the highest risk industries in all organization sizes. These sectors are often targeted due to their handling of sensitive data and the potential for disruption of critical services.
  • Investing in the human layer of security is crucial. The report stresses that organizations must go beyond mere compliance training and adopt a proactive, comprehensive security awareness strategy that includes:
    • Continuous education.
    • Regular testing and reinforcement.
    • Cultivating a security-conscious culture where employees understand the importance of safeguarding their digital environments both at work and in their personal lives.

Recommendations for a Strong Security Posture

The report concludes with recommendations for security leaders, emphasizing the following key aspects:

  • Defined Mandate: Establish and clearly communicate the purpose and goals of your security awareness program.
  • Policy Alignment: Ensure your program is in line with your organizational security policies.
  • Culture Integration: Actively connect your security awareness initiatives with your overall security culture to strengthen the human layer of defense.
  • Executive Support: Secure full support from executives for your security awareness program.

To successfully implement these recommendations, security and risk management leaders can consider the following actions:

  • Fostering a Security Culture: Cultivate a workplace environment that prioritizes security, where employees are encouraged to be vigilant and report suspicious activity.
  • Strategic Hiring: Recruit individuals with a strong security mindset who can contribute to building a security-conscious culture.
  • “Culture Carrier” Program: Establish a program where designated employees act as security champions, promoting awareness and best practices within their teams.
  • Ongoing Simulated Phishing Tests: Conduct regular phishing simulations to reinforce training and assess employee preparedness.
  • Increased Frequency: Increase the frequency of training and testing to maintain security awareness as a top priority.
  • Leadership Role Modeling: Encourage executives and leaders to demonstrate a commitment to security best practices, setting a positive example for the organization.
  • Clearly Defined Objectives: Outline specific goals for your security awareness program and track progress toward achieving them.
  • Engaging Professionals: Consider partnering with experienced security awareness training providers to leverage their expertise and resources.
  • Effective Measurement: Implement metrics to track the effectiveness of your program, measuring key indicators like PPP reduction and employee engagement.
  • Marketing-Inspired Approach: Adopt a marketing mindset to create engaging and impactful security awareness campaigns that resonate with employees.
  • Employee Motivation: Motivate employees to actively participate in security awareness initiatives by recognizing and rewarding positive security behaviors.

By implementing these steps, organizations can build a strong human firewall and empower their employees to play an active role in protecting their organization against the evolving threat landscape.

Weekly Cybersecurity Wrap-up 11/25/24

Each week I publish interesting articles and ways to improve your understanding of cybersecurity.

Projects

Videos

Articles

Podcasts

SEI Podcasts: The Importance of Diversity in Cybersecurity: Carol Ware

CISO Tradecraft #208 Insider Threat (with Shawanee Delaney)

2024 Insider Threat Report: A Cybersecurity Enthusiast’s Summary

The 2024 Insider Threat Report, produced in collaboration by Cybersecurity Insiders and Gurucul, paints a sobering picture of the evolving landscape of insider threats. Let’s break down some of the key findings and their implications.

Here is an AI generated audio podcast, if you’d prefer to get caught up that way:

The report highlights a disturbing increase in the frequency of insider attacks. While only 17% of organizations reported no insider attacks in 2024, this figure represents a significant decrease from 40% in 2023. This trend is further underscored by the fact that 48% of respondents confirmed that insider attacks have become more frequent in the past year. The financial ramifications of these attacks are substantial, with the average cost of remediation exceeding $1 million for 29% of respondents. To put that in perspective, with organizations reporting 6 or more attacks in the last 12 months, the potential financial damage could easily reach tens of millions of dollars.

The report attributes this surge in attacks to several factors:

  • Complex IT Environments: The shift to hybrid work models, the increasing reliance on cloud services, and the integration of technologies like IoT and AI have expanded the attack surface and made it more difficult to secure.
  • Inadequate Security Measures: Insufficient data protection and inconsistent policies continue to plague many organizations, leaving them vulnerable to exploitation.
  • Lack of Training and Awareness: A significant number of respondents (32%) pointed to a lack of employee training and awareness as a key driver of insider attacks. This highlights the critical role of security awareness programs in mitigating unintentional insider threats.

A key takeaway from the report is that insider threats are often more difficult to detect and prevent than external attacks. This is because insiders, by their very nature, have legitimate access to sensitive systems and data, making their malicious activities harder to distinguish from normal behavior. The report reveals that 37% of respondents find insider attacks more challenging to detect and prevent than external attacks, emphasizing the need for more sophisticated detection and prevention strategies.

Despite the growing awareness of the risks posed by insider threats, many organizations struggle to implement effective mitigation strategies. The report identifies several key obstacles:

  • Technical Challenges: The complexity of data classification, concerns about user productivity impact, and deployment challenges to remote devices are among the technical barriers cited by 39% of respondents.
  • Cost Factors: For 31% of respondents, the cost of implementing advanced security solutions, such as User and Entity Behavior Analytics (UEBA), remains a significant obstacle.
  • Resource Limitations: Many organizations lack the necessary staffing and expertise to effectively manage insider threats, with 27% of respondents citing this as a key barrier.

The report emphasizes the critical importance of unified visibility and control across the entire IT environment – both on-premises and in the cloud – for effective insider threat management. While a significant 93% of respondents recognize this need, only 36% report having a fully integrated solution that delivers this capability. This discrepancy highlights a critical gap in many organizations’ security postures.

Some key recommendations include:

  • Implement Advanced Monitoring Solutions: Investing in tools like UEBA can help identify anomalous user behavior that may indicate malicious intent.
  • Integrate Non-IT Data Sources: Incorporating data from sources like HR and legal departments can provide valuable context for risk assessment and threat detection.
  • Leverage Automated Threat Detection and Response: Automating security processes can significantly enhance efficiency and effectiveness in managing insider threats.
  • Adopt a Zero Trust Framework: Ensuring continuous authentication and authorization of all users and devices can significantly reduce the risk of insider threats.
  • Enhance Employee Training and Awareness: Comprehensive training programs can equip employees to identify and report suspicious activity and promote a security-conscious culture.

The 2024 Insider Threat Report serves as a stark reminder that the threat from within is real and growing. By understanding the evolving nature of insider threats, recognizing the challenges in detection and prevention, and embracing the best practices outlined in the report.