Phishing attacks have been a thorn in the side of IT security professionals for years. Yet an emerging category of antiphishing products seeks to help organizations thwart phishing with, oddly enough, more phishing.
A new breed of antiphishing tools and services are emerging in enterprises' security arsenals: simulated phishing offerings that test employees' ability to spot social engineering attacks.
Even though the average Internet user knows that phishing is a common tactic used by adversaries to trick users into sharing sensitive information or implant malware on a target system, it remains among the most consistently successful methods for perpetrating cyberattacks.
"Phishing, and the more targeted and sophisticated spearphishing, is becoming the weapon of choice for the modern cybercriminal and is used by the most sophisticated hackers for data and intellectual property theft," said Perry Carpenter, a former Gartner Inc. security awareness analyst now working as an information security practitioner in the financial sector.
The growth in mobile and nontraditional types of enterprise computing may do little to put a dent in phishing. In fact, an RSA study found that employees are three times more likely to fall for phishing attacks on mobile devices than on PCs.
Phishme Inc. and Wombat Security Technologies Inc. are two of the vendors that have developed training products that help enterprise employees recognize and thwart phishing. Security teams select and customize messages sent to employees. The vendors' antiphishing tools then monitor the employees' responses and provide security pros with reports about how well the workers fared. Organizations can then focus on the problem incidents and develop various training exercises that instruct employees about their points of failure. Employee performance data can be grouped so security professionals can determine if group or individual training is needed.
Businesses can vary the tests during the year and continually monitor employees' adherence to corporate security policies. Companies not only decrease the likelihood that phishing will be the method of entry for malicious software, but also mitigate risk across any device through which a user can receive an electronic message -- desktops, notebooks, tablets and smartphones.
The early results are promising. A Wombat survey found that almost 35% of employees at a Fortune 50 company were victimized by an initial simulated phishing attack. After completing antiphishing-focused interactive training modules, fewer than 6% fell for the second attack, which meant an 84% decrease in susceptibility.
But there are some challenges in deploying such simulated phishing products and services. "Employees may develop a lack of trust if they find that companies are secretly testing them," Carpenter noted. Businesses will need to outline the reasons for their actions, he said, and have employees buy into the need for such measures.
"The best way to use these tools is integrating them into application-level training -- say, showing employees how to use the company email system," said Eric Ogren, principal analyst at Stow, Mass.-based security consultancy The Ogren Group.
However, a one-time test yields only temporary results. To be effective, Ogren said, businesses need to challenge employees' actions on a recurring basis. Since the tests are unique, enterprises need to spend time and effort developing them. The same holds true for the training efforts. As a result, firms may find it difficult to fund and maintain these programs.
About the author:
Paul Korzeniowski is a freelance writer specializing in technology issues. He is based in Sudbury, Mass., and can be reached at firstname.lastname@example.org.