Executives, PAs prove susceptible to phishing attacks
A surprisingly large number of executives and their assistants fall victim to phishing e-mails, indicating that the human element of cyber risk has to be addressed at every level of the organisation.
This is according to Nick Osborne and Mario Basson, Directors at Insiox Digital Risk, a consultancy specialising in targeting the human aspect of cyber risk and a sponsor of the recent ITWeb Security Summit.
Insiox, launched 18 months ago, focuses primarily on the human element because over 90% of breaches and data losses occur as a result of human error or lack of security awareness, says Basson. Basson and Osborne, with decades of experience working in a big four audit firm, are now focused on delivering targeted, agile and digitally driven solutions that assist clients to proactively identify, understand and manage their cyber risks.
Insiox is a South African partner of OutThink, a leading global player in cyber security human risk management. The OutThink platform, adopted by organisations around the world, quantifies human risk by analysing employees’ security attitudes, awareness and knowledge.
Says Osborne: “OutThink uses data science and machine learning to assess human risk – right down to departments, branches and individuals, so organisations can target training and interventions to the areas that require it the most. When we assessed the OutThink platform, we recognised that it tackles human risk in a scientific and innovative way, so we knew that it was the right solution that could assist our clients to address their cyber security human risk within the organisation.” This view is supported by Gartner Peer Insights which, for the second consecutive year, has recognised OutThink as the highest-rated security awareness computer-based solution.
Basson says that in addition to many innovative features, the OutThink tools include convincing phishing simulations. “The surprising thing for us in rolling out OutThink in South Africa was the large number of executives and their PAs who clicked on the phishing simulation links. These are the people with the keys to the kingdom, and this illustrates how vulnerable organisations are when the human risk isn’t properly managed from top to bottom.”
Osborne says: “According to OutThink data, almost one-third of executives fall for the simulated phishing attacks. The data is also showing us that, across all phishing simulations deployed by OutThink across all industries around the globe, approximately 40% of executives are clicking on phishing links and approximately 22% are unknowingly giving their credentials away to potential attackers. This provides an opportunity for attackers to exploit known social engineering techniques such as “authority” by sending e-mails purporting to be from senior executives such as the organisation's CEO or CFO to other employees within the organisation.”
The OutThink phishing simulation e-mails include templates that appear to come from banks, well-known business applications, retailers, airlines and social media.
Osborne says: “The social media e-mails are most effective. For example, these e-mails may suggest to the recipient that they face criminal action over a YouTube violation. When we initially ran this simulation, over 20% of the employees clicked on the 'compromised' link.” A large proportion of employees are also prone to entering their security credentials into credential capture simulations, he says.
We find that organisations using OutThink see significant improvement in their phishing resilience. In a phishing case study at a FTSE100 client, OutThink found that after just one session of targeted security awareness training via the OutThink platform, the client found significant improvements in the way its 10 000 employees responded to phishing attacks – 47% were less likely to click a link in a phishing e-mail and 46% were more likely to identify and report a phishing e-mail.
However, simulations are just one component of the solution, he notes. “It’s proving to be a real eye-opener for clients to gain the breadth of human risk intelligence that OutThink offers – while employees go through their learning modules, the intelligent solution is listening (through analytics, sentiment analysis, machine learning and natural language processing) to not only identify pain-points and opportunities within the organisation, but also, more importantly, to understand how the employee feels and thinks about security. The solution is also able to identify high-risk groups within the organisation and use the data from the platform to analyse and understand why certain groups are more likely to cause a security/data breach – enabling the organisation to respond in a more proactive, targeted manner.
Insiox takes OutThink to market in a SaaS model or as a managed service, where Insiox experts set up campaigns, manage the administration and assist with recommendations to improve the clients' human cyber risk posture.
Click here to learn more and request a demo of the OutThink solution.