In its newest Phishing Activity Trends Report, the APWG noted a 250% increase in phishing sites between October 2015 and March 2016 — and the 2016 uptick indicates an alarming trend. Wombat CEO Joe Ferrara commented on this report below.
Joe Ferrara, President and CEO at Wombat Security Technologies:
Spam filters, blacklists, firewalls, and other technical safeguards do not stop all phishing emails from getting to end users. That can’t be disputed. Organizations that want to give themselves the best shot at reducing successful attacks from the wild — and the malware and ransomware infections that come with them — must educate their employees to recognize, avoid, and report phishing emails.
According to Mr. Ferrara, “awareness and training are two sides of the same coin, but they are not one and the same. Being aware that phishing threats exist is not the same as knowing how to defend against social engineering attacks. Simulated phishing attacks, notification emails and alerts are absolutely valuable and useful — but on an awareness front. They aren’t a substitute for education, and they will not, on their own, drive the level of behavior change that training can.”
Ferrara recommends that anti-phishing education programs utilize awareness efforts coupled with in-depth education for best results. He also recommends that organizations seek opportunities to deliver interactive security training rather than relying on presentations or videos. “Most of the cyber threats we’re seeing in play now are ones that end users physically interact with. Phishing emails, social engineering calls, employee impersonations, risky applications…these are just some of risks that employees are encountering. Because the attackers are coming directly to end users, it’s critical that they learn the skills required to identify and avoid these attacks,” Ferrara said. “Being told what to do is far less effective than being shown what to do and getting hands-on practice that can then be applied in day-to-day situations.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.