Today’s cyber security landscape is dotted with billboards headlining the latest data breach. It seems each new day brings another disclosure of corporate computer systems that have been compromised. The Hollywood image of a lone computer genius actively toiling away in a dark basement trying to gain unauthorized access to a remote network is far from the reality – as is often the case in Hollywood.
The reality is these attacks are often perpetrated by automated software that has been crafted by teams of hackers, activists, and even governments, to exploit vulnerabilities within the targeted organization. Unfortunately, for all the technical controls put in place to protect company resources, the greatest vulnerability remains the end user. Social engineering continues to be a persistent, escalating threat to network and data security. One study, conducted by Verizon in 2016, provides a glimpse at the magnitude of the threat:
“Verizon studied 42,068 security incidents that resulted in 1,935 breaches. Overall, 43% of the documented breaches involved social engineering attacks! That’s almost half, and these are only representative of the reported/documented breaches.”
Statistics like this point to the effectiveness of social engineering, and continued reliance on this tactic by malicious actors. Why? Because it works.
Social engineering can take many forms but the most prevalent, and possibly simplest form, is email. Today’s inbox is inundated with spam from countless solicitors, social media “friends”, and various other email “marketing” platforms. Spam is often the delivery method of choice when attackers go “phishing”. Phishing is mass mailing of malicious email intended to “catch” a victim. The messages are becoming harder to identify. Add this junk to the numerous legitimate messages received each day and it becomes clear why email is such a social engineering gold mine.
Who really takes time to study a message before opening it? Or, once opened, time to investigate the details before acting? These are the questions attackers are relying on you not to consider. Sophisticated phishing emails make it difficult to determine which message is authentic, and which is trouble. Blindly clicking links or attachments is the first step in possibly opening Pandora’s box. The risk is extensive as a simple click may be all that’s needed to install malicious software capable of infiltrating your network or compromising your data. This is where simulated email can help.
Numerous third-party platforms provide simulated email services that assist end users in recognizing potentially malicious email. Combine this with ongoing cyber security training and education, and you’re on your way to minimizing a very real threat. Simulated phishing is “good” phishing. The vendor will mass deliver a phishing email to targeted end users with two objectives in mind:
- The user will take time to investigate the message and determine the message is not authentic and properly dispose of the message without acting on it.
- The user will open the message, act on it by clicking links or opening attachments, and discover the message was indeed phishing and be directed to a tutorial on recognizing malicious email.
While this may seem counterintuitive, adding to the already overflowing inbox, the results may lead to increased awareness thereby reducing threat exposure to phishing attacks.
Simulated phishing email campaigns are a valuable tool in your cyber security training platform. The messages are safe, controlled, and can often be customized to relate to a specific user, department, or topic. The ability to vary the form and content keep the program fresh, and users on their toes. As an add-on service to your existing contract, or a standalone purchase, the investment in simulated email may well provide a return often overlooked in today’s business environment…peace of mind.