Phishing is an Endpoint Problem, Not a Credential Problem
ANN ARBOR, MICH. Duo Security, a cloud-based trusted access provider protecting the world’s largest and fastest-growing companies, today published research that illustrates the risk phishing attacks present in the enterprise. Since its July 2016 launch, around 400 companies have begun using Duo Insight, a free tool that lets IT teams run internal phishing simulations. Of the 11,542 users who received a phishing email from their IT team, 31% of organizations are at risk of a data breach due to phishing attacks.
Based on the data from Duo Insight, in a real-world scenario, attackers can run a phishing campaign that takes only 5 minutes to put together, and within 25 minutes they’ve got access to corporate data resulting in a data breach.
Data analysis from Duo Labs uncovered that:
- 31% of users clicked the link in the phishing email sent by their internal team.
- Those users who clicked the link in the phishing campaign open their organizations to hackers through unsecured internet browsers, plugins (Flash and Java), and out-of-date operating systems on their devices.
- Hackers can easily exploit those vulnerabilities and get even more than they would get with just a set of credentials. In this case, attackers would have complete control over the compromised device.
- Worse still, 17% of users entered their username and password, giving an attacker in a real-world scenario the keys to corporate data.
The goal of Duo Insight is to offer organizations of all sizes a free internal phishing drill system that allows them to simulate a phishing attack on their employees in five minutes. With the results of those simulations, administrators can identify potential security weaknesses and make the case for investing in stronger security solutions or better employee education.
In addition, IT teams will better understand the security health, or lack thereof, of all of the devices accessing corporate data. With that information, they can create internal programs to keep employee devices up-to-date and secured against known vulnerabilities. Organizations should consider a trusted access solution that looks at both users and their devices to ensure that users are who they say they are and that the devices they’re using to access corporate data are updated and secure enough to get into business application.
Run free phishing drills with Duo Insight at https://insight.duo.com to assess risk of phishing attacks that could lead to data breaches.
[short_info id=’59599′]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.