Phishing News - September 2016

     Phishing has continued to increase steadily over the last 24 months. All industry sectors are susceptible to phishing attempts. According the the Wombat ThreatSim State of Phish 2016 report, assessment testing indicates the the areas successful for phishing attempts is corporate. That should have most organizations concerned, however 37% of organizations still do not test their employees. When testing is implemented, improvement rates correlate to the frequency of the tests. So if 63% of organizations are testing, and it is working so well as this report suggests, then why are so many organizations still having issues with Phishing?

A few notes on Phishing Assessment Testing... Part 1:

     The reality is protecting organizations from Phishing is a complex issue and so is performing Phishing Assessment tests. There are three ways to perform tests these days: SaaS solutions like PhishMe and ThreatSIM, OpenSource solutions like GoFish and SET or custom code. No matter which an organization chooses to utilize there are certain things you need to know:

  • Data sets - do you really need to test the whole organization or will a subset provide you a representative data set. More is not better - it is just more. The more employees you test, the more impact you are putting on your support teams.
  • All tests are not equal - do not assume that all users are susceptible to the same Phishing type. Employees each work differently and use different applications. determining the design of a Phishing Assessment test email is as much an art as it is a science.
  • Data Management - do you know your employee data, most organizations have a bit of a challenge in identifying a clean employee data file. Oh! and don't forget privacy, if you would like to avoid legal and regulatory issues later, you need to begin with the end in mind; e.g. think encryption at rest and in transit, and data residency for starters.
  • Localization - what are your statistics today? If your organization is only susceptible to phishing in localized languages and not English in certain locations, then testing them in English is not going to provide your organization much help in increasing awareness. Localization is hard, no doubt, but no one said this would be easy.