What would you do if nearly a third of your employees were making mistakes that could cause serious harm to the company?
According to findings by Duo Security, that’s exactly what is happening with employees and phishing attacks. About 31 percent of employees were clicking on phishing links, opening up the company to potential malicious activities. Another 17 percent willingly gave up their username and password combination when asked. As Jordan Wright, R&D engineer at Duo Security, told eWEEK:
The main thing to take away from this is that even if only 17 percent provided their username and password, 31 percent clicked the link, which in itself can lead to a breach through an outdated endpoint.
Why do users continue to fall for phishing attacks? Social engineering has become that good. As Dodi Glenn, vice president of Cyber Security with PC Pitstop, told me in an email interview:
Many people are simply gullible, and the hackers realize this. The more urgency they place on the phishing email, the more likely people will fall for them. Social engineering is an art, and the hackers are mastering it. Interestingly enough, we often find ourselves recognizing we fell for the scam, shortly after giving out information. The ‘uh oh’ sensation is all too familiar for many.
Security education and training is the most logical step in keeping employees from resisting that urge to click on the phishing bait, right?
However, Steve Durbin, managing director of the Information Security Forum, told me in an email that it isn’t always that simple. Today’s business landscape is complex and subject to rapid change: As a consequence, it is not possible to train everyone for every eventuality, he said; therefore, training should be limited to day-to-day, routine matters and frequently encountered circumstances. He added:
As far as possible, people should be trusted, motivated and empowered at all levels of the organization. Information security practices then become embedded in the business culture, making information security a critical element of ‘how things are done around here.’ Top-performing organizations recognize that a network of trained information security champions from within the business plays a vital role in introducing and embedding positive information security behaviors.
Glenn agreed, saying that while user education is the key to decreasing the phishing attack surface, as long as you have humans involved, mistakes are going to be made. You can’t totally eliminate the security risk, but you can make it smaller by ensuring employees know what phishing looks like and how to prevent falling into a socially engineered trap.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.