Report Reveals Deficiencies in Anti-Phishing Training in Organisations

Cofense, a security software company formally known as PhishMe, recently conducted a survey which discovered that organizations from many different sectors are finding themselves unable to prevent phishing attacks on their systems. 

 In compiling the survery, Cofense interviewed 200 IT executives from a wide range of industries. The results revealed that 90% of IT executives are most concerned about email-related threats. Email related attacks occur with an alarming frequency, and as defence software grows more sophisticated, so too does the nature of the attack. Many organizations struggle to train their employees in identifying phishing emails, and their systems are perpetually at risk. Nearly two-thirds of those questioned said that they have had to deal with security threats due to email attacks in recent times. 

The IT executives were asked about their opinions on their organisation’s ability to respond to phishing threats. About 43% of respondents rated it between totally ineffective and mediocre.

The survey highlighted several areas where organizations are struggling to prevent phishing attacks and respond quickly when phishing emails make it past their defenses.

Cofense’s report notes that many IT support staff who may be subject to phishing attacks have not been trained to identify phishing emails. This lack of basic precaution renders the organisation susceptible to attack. The survey showed that many IT employees fail to recognise threats, and therefore don’t block access to malicious links through the firewall or web filter.

Nearly half of all respondents felt that the biggest challenge to their organisation the small number employees they had to deal with an ever-increasing threat. Approximately one-third of respondents said they have to deal with more than 500 suspicious emails a week. A further fifth of respondents said they have more than 1,000 suspicious emails, which put a great deal of strain on their security systems. 

Identifying potential threats among the spam drains the resources of a company. When asked what could help their organisation’s phishing response to become more efficient, IT executives repeatedly said that some sort of system that could automatically analyze phishing emails to sort the real threats from spam.

The twin issues of time pressure and a lack of human resources means that potential phishing attacks are often not dealt with rapidly. Many organizations have an inefficient and ineffective phishing response which makes rapid mitigation difficult.

Cofense identified that part of the problem lies with how suspicious emails are reported. Over half of organizations have potentially suspicious emails routed to the helpdesk and do not have a dedicated inbox for phishing emails. Mixing reports of potential phishing attacks with other IT issues increases the probability of serious threats being overlooked and invariably leads to delays in implementing the phishing response.

The survey showed companies are heavily reliant on technology and anti-phishing software to prevent phishing attacks. Many IT companies said that they chose to implement layered defenses. While this may seem like a good strategy to mitigate the chances of a successful attack, 42% of respondents said multiple layers of security solutions was a problem when managing phishing attempts. This added complexity may increase the chance of human error occurring, and therefore an attack becomes more probable.

The most common defense against phishing attacks is email gateway filtering, although 15% of organizations still do not use email filtering technology and 20% do not use an anti-malware solution. As mentioned before, many organisations fail to adequately train their staff; 34% of organizations do not provide computer-based training for employees to improve awareness of phishing and teach employees how to identify phishing emails.

PhishMe accepts there are limits to training. “Are all employees going to “get it?” every time? Probably not. But they don’t have to if the rest of the organization is ready to recognize and report suspicious emails. It only takes one to report it so the incident response team can substantially reduce the impact of phishing attacks.”