According to the most recent Verizon data breach report, a phishing email is often the first phase of an attack. That's because it works well, with 30 percent of phishing messages opened, but only 3 percent reported to management.
But when employees are trained on how to spot phishing emails, and then get tested with mock phishing emails, the percent who fall victim decreases with each round.
Of course, it's impossible to get to a zero response rate. The criminals are becoming extremely clever with their messages. Fortunately, it's not necessary. If enough employees forward phishing emails to security, then the company becomes aware that it is the target of a campaign, and be prepared to deal with those messages that do slip through.
The Anti-Phishing Working Group offers a variety of resources, including a phishing education landing page that companies can use in conjunction with their anti-phishing campaigns. Some of the vendors below, including Phishme and KnowBe4, also offer free resources.
BetterCloud, which offers security and monitoring services for cloud-based office applications, started worrying about phishing when another company in their office building lost $2 million to a phishing scam, and their cybersecurity insurance would not cover the cost.
"Their business took a really bit hit," said Austin Whipple, the company's senior security engineer. "It was hard to recover from that."
In response, BetterCloud ran a company-wide training, then created its own phishing email campaign that seemed to be a note from the HR system, but actually came from an external email address. This was followed up with more education.
"Compared to other organizations, or to the Verizon report, we did fairly well," he said. "But there are still some areas we can improve on."
Once some time has passed, there will be another phishing test, he added. The employees forward suspicious emails to him personally, he added, and it's clear that the company has already been specifically targeted because some of the real phishing emails include inside information that would have required some research.
According to Whipple, setting up an anti-phishing training program is not too difficult.
"Any one tech person can do this whole thing," he said. "It doesn't take a massive amount of set up. Educate your people, do the test, then educate the people again, and do a follow-up test."
PhishMe’s phishing simulation, training and reporting platform is used by more than 800 customers world-wide, including nearly half of the Fortune 100, to proactively engage thousands of employees in simulations that condition them to detect and report phishing threats.
PhishMe also offers a phishing incident response platform, which automates and prioritizes reported phishing emails for faster response, and a threat intelligence service that helps threat analysis vet the phishing activity they see against verified external threats.
By combining awareness training, easy reporting, and appropriate security responses, employees can go from being a company's biggest security weakness to its first line of protectiong.
"Humans are the most powerful layer of defense against spear phishing, and organizations need to leverage every security benefit humans can provide to remain protected against this top attack vector," said Rohyt Belani, CEO at PhishMe.
PhishMe also offers a dozen free training modules, available in the form of interactive PDF files or SCORM-compliant files that can be run through a company's learning management system.
Customers include four of the top five U.S. financial institutions, seven of the top 25 global financial institutions, leading social media and career sites, and top healthcare, retail, insurance and technology companies.
"Make the simulations as realistic as possible," recommends John LaCour, founder and CEO at PhishLabs. "If you want your employees to spot and report real-world attacks, the simulations need to mirror the real-world attacks they are most likely to see."
In addition, once employees do report the attacks, a company needs to have processes in place so that they can respond to targeted attacks early on, when they're the least costly to mitigate.
"But that can’t happen if those reports just sit in a helpdesk queue," he added.
The company offers phishing simulations and gamified training for employee security awareness.
Gamification makes the training fun and interactive, said Eyal Benishti, CEO at IronScales. "People are tired of bullets and boring videos."
Continuous assessment can make the biggest impact when it comes to changing behavior, he added. He recommends running tests at least once every two months.
According to data collected from about 60 companies, click-through rates can be reduced significantly as a result, with employees forwarding phishing emails 200 percent more often than before.
MediaPro offers training and reinforcement programs, and an adaptive phishing simulator. Customers include Microsoft, T-Mobile, Expedia, Cisco, Oracle, Boeing, Marriott, Costco and other Fortune 500 companies.
It's important not to test employees on the same kind of phishing message over and over again, said Steve Conrad, managing director at MediaPro Holdings, LLC
"Not all phishing campaigns are equal, nor should they be," he said. "You need to use a model that sends phishing messages of varying complexity and sophistication, and those are going to generate different kinds of results. Sending the same, or similar, messages to your end-users will show great results in a phishing report—your click-through rates will go down—but it will not accomplish your business goal."
KnowBe4 is the company that has Kevin Mitnick as its chief hacking officer, and claims to be the most popular integrated platform for security awareness training and simulated phishing tests, with thousands of enterprise customers.
According to Stu Sjouwerman, CEO at KnowBe4, phishing emails are involved in a variety of attacks, including ransomware and business email compromise fraud.
"BEC and ransomware are on pace to be a $1 billion a year crime this year," he said.
KnowBe4 also offers a free phishing security test for up to 100 employees. The company also has a one-time free email exposure check that identifies employees' email addresses that are exposed to the public.
The company claims over 1,000 enterprise customers and offers automated phishing tests and training modules. One of the earliest vendors in this space, Wombat grew out of research at Carnegie Mellon University in 2008.
It makes sense that the company continues to focus on research, and it regularly puts out research reports about phishing trends and training effectiveness. For example, Wombat worked with the Ponemon Institute to determine that the average-performing program resulted in a 37-fold return on investment,
According to Joe Ferrara, CEO at Wombat Security Technologies, phishing costs the average 10,000-employee organization $3 million a year -- and a successful training program can reduce the number of employees falling for phishing attacks by up to 90 percent.
One key to a successful program, he said, is to automatically schedule the employee for a phishing training module when they fail a phishing test.
That's the point where they're most motivated to improve, he said.
The company offers anti-phishing training, simulated phishing attacks, a monthly newsletter, posters, digital signage, and other job aids to provide a constant stream of tips and best practices that can help keep security top-of-mind for employees.
Customers include Franklin Templeton Investments, ING, Chicago Mercantile Exchange, Tata, RedBox, ADP, Jhnson Controls, Bridgestone, the USDA, and ABB.
The company says that it has more than five million users worldwide, and the programs reduce phishing succeptibility by more than 92 percent.
Its PhishProof product is available as a completely managed service where the company's team of experts designs and deploys assessments and training, or as a software-as-a-service model with online software that can be used to create and deploy assessment within minutes.
Blackfin Security, part of Symantec, offers phishing simulation and training. The awareness training can be integrated right into the phishing simulation assessments with immediate in-line training, or users can schedule follow-up training that fits their schedule.
In addition, there are training modules on social engineering, malware, physical security, and using public WiFi networks, among other general security topics.
This is different from Symantec's own training program, which is focused on helping enterprise security professionals install and maintain Symantec products.
Taking anti-phishing testing one step further, PhishLine targets a broader set of social engineering attacks, including text messages, phone calls and even "accidentally dropped" USB sticks.
Earlier this year, PhishLine launched a marketplace for third-party computer-based training materials, including hundreds of phishing templates, customized landing pages, risk assessment surveys and multi-lingual security training content.
In addition to training and simulations, the company also offers measurement tools that allow companies to track the success of their programs. One measurement, for example, which can be used for gamification, is risk-based scoring. Enterprises can set up custom dashboards where training scores can be compared by individual employees, departments or other groups, or to internal or external benchmarks.
This company is best known for their in-person enterprise security training, boot camps, and certification programs.
But they also offer interactive online training modules for security awareness. Their SecurityIQ product combines computer-based security awareness training and a phishing simulator in one cloud-based service. Companies can set up automated campaigns to send phishing tests to employees over time, or to enroll and remind learners to take their security awareness training.
Although it's possible to build an anti-phishing training and testing program internally, vendors such as InfoSec Institute and the others listed above offer some significant advantages to the enterprise.
"Oftentimes, organizations aren’t equipped to provide great education, internally," said Mike Spanbauer, vice president of security test and advisory at NSS Labs.
Vendors who focus specifically on phishing are aware of new trends in phishing emails and can incorporate the tactics into their training programs and anti-phishing simulation templates quickly.