Our Testing Data Shows You’re Letting Me Hack You Every Time
Phishing just doesn’t get the love it deserves in the security community. It doesn’t get the headlines, security staff time, or dedicated attention that other, more flashy threat vectors get. Certainly, high-impact malware variants that sweep the globe, get their own cool logos and catchy names command respect. But at the end of the day, phishing attacks are really the ones that bring most organizations to their knees and are at the very start of some of the most devastating cyberattacks.
From my experience as a penetration tester and social engineer, it seems that most customers view phishing campaigns as a requirement to deal with once a year, with some high-performing companies tossing in additional computer-based training. In most instances, this type of testing is just one mandatory component of an annual compliance test like FedRAMP, which means, in effect, that the enterprise hasn’t tested their phishing defenses since the last time an audit was performed. Yet the numbers tell an alarming story: phishing has been shown to be the first step in over 90% of recorded breaches. It is a formidable threat to every organization and typically not addressed adequately in cybersecurity strategies.
As security professionals, we are commonly asked “what is an acceptable failure rate for phishing?” (FedRAMP and other certifications address acceptable failure rates as well.) For years, the prevailing sentiment and some professional guidance has been that anything under 10% would be trending in the right direction. While this guidance is, in my view, misguided, many industry professionals and consultancies have given out the same improper (or perhaps we should say “very outdated”) guidance, however well intentioned.
We have gathered three years of phishing test data from multiple phishing campaigns launched at some of the top Fortune 500 companies all the way down to sole proprietorships. From the data, one metric stands above all the others: 62.5% compromise rate. We have tested over 100 companies that have, in their opinion, “stellar phishing programs,” those that have a single campaign once a year, and those that do relatively nothing from year to year. While the quality of phishing testing programs has a broad range, the fact of the matter is, if a person clicks on a phishing email link (and 26.2% do, on average, in our data), there is a 62.5% percent chance on average that person is either going to download a payload that will give the malicious actor control of the host, or that person will share working credentials to their account. While there are security measures that can help to a degree, the metrics are clear—even if the threat actor doesn’t compromise your host, over half the time an active username and password is now in the hands of a malicious actor.
These results should be a significant wake-up call for every organization. Using the “old” acceptable rate of a 10% click through, that leaves a 6% compromise rate. Let’s look at what that might look like for a large enterprise with, say, 50,000 employees. A 26.2% click rate equals 13,100 clicks. If this company were to fall into the “average” compromise rate, that would be 8,187 compromises! Even the industry-standard 10% click rate would yield 3,125 compromises.
I believe that companies should be striving for zero clicks. While this may well be unattainable, we as humans tend to be complacent in coming close to our goals. A goal of 10% will likely mean 12%. A goal of 2% will likely achieve a result of 5%, and with a 62.5% compromise rate, will still likely open the enterprise network to an unacceptable level of risk. Granting not only the important role phishing plays as an entryway to significant breaches but the likelihood of compromise per click, the industry should be shouting “Zero Tolerance” for all to hear. The days of acceptable risk should be over.
We are unlikely to eliminate the human element and the risks that brings. There will always be mistakes or issues as long as humans are involved. But by setting far more aggressive goals and standing up progressively better phishing testing programs to train employees, reward them for improvement, incentivize them for doing the right thing, and demonstrate what “good” looks like, enterprises can both set and meet more aggressive targets to better protect the organization.
While phishing isn’t the most interesting, headline-worthy topic in cyber news today, it should be a top concern when relating to cybersecurity in nearly every company. The cultural norm needs to shift to zero tolerance, and until it does, as a social engineer and fake criminal by day, I would like to thank you. Every single phishing campaign I run is going to provide me access to your system. You are making access to your company so very easy.
About the author: Gary De Mercurio is senior consultant for the Labs group at Coalfire, a provider of cybersecurity advisory and assessment services.
Source: infosec island