Recently I spent some time reviewing the ESI Benchmark Report from Hornet security and found some valuable insights. Also, as a long-time practitioner deploying email infrastructure and including deploying methods of phishing prevention, my interest in this topic and its evolution is still top of mind. The other pinnacle consideration here for your enterprises is that phishing attacks remain as one of the top ways that both our professional and personal information become compromised, so awareness and prevention are key. Today we are going to look at the state of the industry around phishing, from there let’s take a closer look at the top 5 findings in this report and really look closely at what they mean to you and your enterprise, then wrap things up.
Phishing State of the Industry
According to the research in the ESI Benchmark report, over 90 percent of all cyber-attacks start with a phishing e-mail. As a long-time Microsoft Exchange Administrator this really resonated with me. I have spent years in this space both implementing technology for prevention and educating users on prevention techniques. It’s not an easy task and as the attacks and social engineering change it’s become an initiative within companies that is not only left to the admin to solve. Our enterprise users have an equal part in the solution but learning how to watch for a phish and avoid it.
Also revealed by the Hornetsecurity Cyber Threat Report 2021/2022, 40 percent of all e-mail traffic poses a potential threat, ranging from indiscriminate mass mail-outs to personalized spear phishing e-mails – where hackers may have spent weeks or even months gathering information to target their victim. That is a large percentage of emails, and we as employees of the companies work for need to do our part in prevention of phishes.
Another critical part of the current state of the industry on phishing is that MFA in its most traditional state is no longer a failsafe way to prevent and attacker from taking enterprise information if a phish is successful. Also known as a man in the middle attack. According to the ESI report, “To put a stop to the growing problem of 2FA circumvention, companies should switch to FIDO2 (Fast Identity Online). FIDO2 provides an innovative 2FA method where registration for an online service is covered by encryption that cannot be cracked even using the very latest hacking methods.”
Also consider the fact that a hacker can buy a phishing kit for minimal cost online and use it without any programming expertise, but the attacks are also more sophisticated even allowing them to bypass MFA which we have all leaned on for username and password protection for years. These are attacks are a lucrative financial business known as cyber gang leveraging a Crime-as-service model and there is no regard to the reputation or damage that can be caused to the business being phished given the goal is financial gain to the thief.
The state of the industry around email and phishing really should leave us all concerned and ready to implement the right tools and educate our users to ensure our business information remains safe and free from attack.
ESI Benchmark Report top 5 Findings
This report was full of great information and findings, but these are my top 5 and why.
- Continuous awareness training required – in my experience we would hire ethical hackers to do intrusion detection which also included phish testing. While this can vary for each organization, we would typically do this once or twice a year. A report would be shared with appropriate internal resources, and we would work to implement and educate our user as if they were all one person that needed the same information. The reality is that to be effective security training must be often and ongoing.
- Security Mindset – Enterprises must educate users on threats and create an understanding that everyone has personal responsibility in protecting enterprise data. The other side of this is ensuring that there are proper communication tools for users to share information quickly and appropriately.
- Improve employee skillset – Ensuring that users are acquiring skills and knowledge on attack prevents through various methods of learning is critical to securing data. For example, having phishing simulation tools, e-learning and in person training will ensure ongoing learning and success.
- Toolset – Having the tooling that ensures users have the right tools to secure the enterprise data they use is also important. For example, password manages, security message chains and reporter buttons in email tools all help with this process.
- Continuous training – Training and security events should happen once or twice year. They should be ongoing to ensure that security prevention is a habit for all enterprise users.
Wrapping up
Enterprise security prevention is the only way to ensure your enterprise can stay on the front-side of all security threats. Keep in mind that phishing and email are the number 1 way that security threats enter organizations. Have a plan and be sure to stay educated. Download the ESI Benchmark report now.
Theresa Miller is an IT professional that has been working as a technical expert in IT for over 25 years and has her MBA. She has been uniquely industry recognized as a Microsoft MVP and VMware vExpert. Her areas of expertise are in Cloud, Hybrid-cloud, Office 365, VMware and Citrix. She previously founded https://24x7itconnection.com and can be found on Twitter as @24x7itconnect.