Why is it important to prevent phishing attacks?
The term “phishing” is certainly not unfamiliar to you, given the significant number of campaigns launched in the past year alone. Here are some figures and statistics that demonstrate the growing popularity of this type of attack:
- According to statistics, 57% of organizations face phishing attempts weekly or almost daily.
- Almost 1.2% of all emails sent are malicious, totaling approximately 3.4 billion phishing emails every day.
- In 74% of security breaches, the human factor played a significant role (whether through social engineering tactics, simple mistakes, or abuse).
- IBM identifies phishing as the primary initial attack vector, responsible for 41% of incidents.
- CSO Online notes that over 80% of reported security incidents are due to phishing.
- CSO Online also reports a loss of $17,700 every minute due to phishing attacks.
In this context, we return to the main idea that prevention is the most important measure when it comes to phishing attacks. It is far better to consider cybersecurity awareness training for your employees than to face an attack and require complex specialized services.
Next, we will go into detail about a case study involving a client from Romania, with over 4,000 employees in the retail sector, who wanted an automated solution to train their staff to effectively identify and accurately report phishing attacks.
The challenge for a company operating in the national retail industry
The most effective cyberattacks require minimal technical resources precisely because they rely more on human error than on the lack of cutting-edge cybersecurity solutions in companies. Under strong pressure, people are more prone to making mistakes, which is the main reason why most data and security breaches succeed.
In the market where our client operates, there have been a series of phishing incidents that caused devastating data losses and security breaches. The consequences were severe, with retail businesses suffering significant financial losses, reputational damage, and erosion of customer trust.
Our client understood that investing in training their human resources is likely the best and most efficient investment they can make for their cybersecurity defenses.
To increase cybersecurity awareness across their entire network, our retail client chose to implement Phish Enterprise, a solution developed by the security experts at Bit Sentinel. Phish Enterprise is an automated platform used for practical training exercises focused on cybersecurity and social engineering tactics, helping organizations build a strong cybersecurity culture and comply with existing regulations.
Some of the company’s activities fall under the scope of the Network and Information Systems Security Directive, known as the NIS Directive, which mandates technical and organizational measures, including user awareness and training, while ensuring personnel security. Therefore, Phish Enterprise proved to be extremely well-suited to meet our client’s needs in this regard.
Approach, process, and implementation
Our client opted for the “Auto-Pilot” version of Phish Enterprise to train their employees. In this version, the team can use a set of over 50 phishing attacks available in a “set-and-forget” model; they could schedule the scenarios and receive reports as a managed service. This way, the company did not need to allocate additional time or internal resources to efficiently reach their cybersecurity awareness goals, requiring minimal time investment.
For their internal cybersecurity awareness campaign, our retail client established the following training and testing strategy using the Phish Enterprise platform:
- The first 2-3 weeks of training, during which they learned basic information about: phishing, spear phishing, whaling, smishing, vishing, malware, ransomware, computer viruses, password security and management. The study phase is followed by a test with questions on the topics mentioned above.
- Next, the Phish Enterprise team developed a plan to launch phishing simulation campaigns to test the knowledge acquired during the theoretical part of the training. The phishing simulations took into account the company’s internal processes, the technologies used for document sharing, and the tools utilized by all departments (e.g., marketing, HR, administrative, sales, procurement, etc.).
- The final stage involved implementing the phishing campaigns within the time frame and for the teams approved by our client. The phishing scenarios varied, ranging from messages that appeared to be sent by widely used platforms (e.g., Microsoft SharePoint, Google Drive, Office 365) to messages simulating internal processes (receiving CVs, requests for proposals, invoices from suppliers, password reset requests).
- After these three stages, the Phish Enterprise team collected and analyzed the data, provided analytical reports, and proposed recommendations for improvement.
Results and impact
As a result of following every step of the cybersecurity awareness campaign and conducting the simulations provided through Phish Enterprise, our client registered the following results:
- More vigilant employees, who now expect similar campaigns, which means they are more careful when it comes to malicious messages from unknown sources.
- More engaged employees, willing to discuss and share information about such campaigns, thereby increasing cyber resilience within teams.
- The rate of employee vulnerability to phishing attempts decreased by up to 80%, meaning improved organizational security.
Next steps and conclusion
After implementing the initial training and testing strategy using the Phish Enterprise platform, our client wanted to continue and further develop the collaboration with the Phish Enterprise and Bit Sentinel teams to reach the next levels, ensuring a stronger cybersecurity posture for their company, as follows:
- conducting monthly tests, followed by a quarterly reassessment;
- the client is requesting increasingly complex scenarios, involving the execution of simulated ransomware attacks, malware infections, or pages that appear to request login credentials;
- as proof of their satisfaction, the company continues to use our services and has expanded the collaboration to include other offerings from Bit Sentinel, such as SOC (Security Operations Center) and Pentest (Penetration Testing).
Remember!
Cybersecurity awareness is the first step toward a healthy organizational culture and, more importantly, toward enhanced information security. It is important to take care of our team and train them to be prepared for the digital world we live in.
Have you implemented such an initiative in your company?