Phishing Awareness Training focused solutions are not aligned with today’s advanced persistent threats, business email compromise and ransomware attacks that require a more holistic and integrated approach to phishing mitigation.
Last November I was asked to make a couple of cybersecurity predictions for 2018, and while it’s only February, it sure appears that one of my primary predictions hit the nail on the head:
“Sensing the frustration of their customers and realizing how complex phishing emails have become, both secure email gateway and computer-based employee awareness and training program providers will accelerate the consolidation of their respected market sectors through mergers and acquisitions that can cover gaps in their existing services and solutions such as automation and orchestration.”
Since the calendar flipped, Barracuda Networks has announced its acquisition of PhishLine to add what it said were new capabilities to deliver integrated, adaptive security awareness training.
Additionally, Proofpoint recently announced its forthcoming acquisition of Wombat Security to “provide the industry's first-ever integration of market-leading protection and awareness offerings.
Such M&A activity comes on the heels of security vendors such as Trend Micro and Sophos consolidating offerings with computer based training (CBT) modules to help educate staff on the latest security issues and vulnerabilities. Sophos even offers customizable security training programs that can include a program guide, employee handbook, online videos, buy-in documents, hands-on technical workshops, and webinar-based training sessions.
For years we’ve heard cybersecurity “experts” pontificate about the necessity of phishing awareness training; proclaiming that all organizations - regardless of size, location or revenue - invest time, money and resources into phishing prevention education for all employees. Largely, the business community has been complicit to such advice, and as such is expected to pump in $10 billion to security training and awareness solutions by 2027, according to Cybersecurity Ventures. However, recent M&A activity suggests such speculation might need to be revised.
Not many in security want to admit the reality that the mass investment in security awareness training tools and modules have not correlated into transformational improvements in phishing mitigation. Today, phishing continues to be the root cause for approx. 95 percent of all cyberattacks worldwide. The proliferation in frequency of modern advanced persistent threats (APTs), business email compromise (BEC) and ransomware attacks has made it all but impossible for preoccupied employees to single handedly spot malicious emails on a recurring basis.
Just how bad has the phishing epidemic gotten in spite of the prevalence of phishing awareness training programs? Here are some data points to consider:
Additionally, our internal data, which is based on more than 7,000 simulated email phishing campaigns reveals that:
With 239 billion emails sent worldwide each day, humans are simply no match for the frequency of today’s email various email phishing techniques. Sure, there is value in employees having a baseline of phishing knowledge, but organizations must be realistic about ROI of such training.
I’ve written extensively about the myths of security awareness training that vendors don’t want the public to know and about the impossibility of training employees sufficiently enough to never miss a single malicious email. After all, it only takes one small mistake on the behalf of an employee to circumvent even the most complex and advanced security systems. So, aside from phishing’s continued success, what’s occurring that’s prompting the consolidation movement to gain steam? That’s simple - a frustration with point (imperfect) solutions
One of the primary inefficiencies of phishing awareness training is that it is merely a point solution in which success is predicated on changing human behavior. Putting the daunting task of changing human behavior aside, point solutions have come under increasing scrutiny for its inability to serve as a holistic phishing risk mitigation solution.
An article in CSO noted many security point tools aren't designed to communicate with one another. This leaves it to humans to bridge the gaps in intelligence and communications, and that requires more training and support for deployment and configuration. "More tools, more needs...there simply aren't enough eyeballs, hands or hours in the day to make this jerry-rigged security model work," CSO said.
But even if and when a trained employee does spot a malicious email, security and awareness training tools provide no recourse for remediation. Employees must simply submit their finding to the SOC team, which can have weeks-worth of phishing email backlogs to investigate. During such time, the phishing email remains within employee inboxes and the threat persists as active.
In response to today’s threat landscape and the inefficiency of point solutions like phishing awareness training tools, chief information security officers (CISOs) are adjusting their strategies looking to automate security incident response, and many are consolidating the number of cybersecurity vendors they do business with. Many are requiring new solutions that have broader integration and can operate with other security technologies. Legacy phishing awareness training companies do not fit into this mix, thus prompting the consolidation trend in hyper-drive.
For CISOs in need of a holistic approach to phishing mitigation, IRONSCALES is the first and only phishing mitigation platform designed for pre-and-post email delivery, always assuming that emails will pass through the prevention layer. The platform consists of four modules that work in tandem to prevent, detect and remediate email phishing at all phases of an attack’s lifecycle. The platform utilizes advanced mailbox-level anomaly detection to analyze employees’ mailbox behavior to protect against hyper-targeted phishing attacks such as BEC both before and after each bypass all gateway level solutions and lands in an inbox.
It’s simple - the IRONSCALES platform enables organizations to mitigate the risk associated with the technological, operational and human challenges inherent to phishing attacks. Our multi-layered and automated approach to prevent, detect and respond to phishing emails combines micro-learning phishing simulation and awareness training (IronSchool), with advanced mailbox-level anomaly detection (IronSights), automated incident response (IronTraps) and real-time automated actionable intelligence sharing (Federation) technologies. By providing protection at every stage of an email phishing attack, IRONSCALES’ customers reduce the time from email phishing attack discovery to enterprise-wide remediation from days, weeks or months to just seconds, with little to no security team involvement.
Rumors of other phishing awareness training companies looking to exit are gaining steam, and I don’t think it will be long until more follow suit, or such point solutions risk becoming obsolete.
The time to invest in a comprehensive anti-email phishing solution is now.
Contact us today for a demo and free trial.