Putting the Socrates in Phishing Simulation
Date: 27 February 2018
The FBI estimates that between the years of 2013 and 2017, US businesses were victim to loses of over 5bn USD from phishing attacks alone. It is no surprise then that phishing simulation tools and anti-phishing solutions are popular for businesses and organisations who wish to get ahead of the problem.
In particular, phishing simulation solutions, which involve the deliberate sending of benign phishing emails to staff in order to assess their readiness or risk level or as a form of training, have become commonplace. Any organisation without such a solution in their toolbox would be wise to consider adding one.
Socrates in Action
One such vendor offering a phishing simulation is Human Firewall. Their innovative approach to reporting and risk calculation are based on measuring each and every action in the simulation chain by way of clear dashboard.
Using inspiration from a famous Greek philosopher, each simulation campaign measures the following:
- Sent - The deliverability rate of the simulated phishing email.
- Opened - The number of targets who have opened the email.
- Clicked - How many of those who opened the email, clicked on the hyperlink which it contained.
- Compromised - The hyperlink can lead to a simulated login prompt, which if the target fills in with their credentials, this metric is increased by one.
- Reported - Human Firewall can provide a report button in Gmail or Outlook email clients, should the target suspect a phishing attempt and report it, the attempt is logged as reported.
- Trained - Should the target be compromised, they will be taken to a short three minute training page.
- Evaluated - Human Firewalls report button has the ability to remove all instances of the reporting phishing attempt from all inboxes. This number indicates that the solution was able to identify all the sent phishing simulations.
- Secured - The percentage of targets whose mailboxes are protected as a result of the "evaluated" metric,
Risk Management Made Easy
The benefit to this innovative method of reporting, makes clear to those operating the solution and risk stakeholders in the organisation, the likelihood of a real phishing attack being successful. It also highlights departments or individuals who represent the greatest risk and could benefit from further training in how to identify phishing attempts. A constant rotation of phishing simulation and risk assessment can be thought of as socrative method, in style (the determination of an answer through the posing of a number of questions and scenarios).
Security is often said to be a case of "when" not "if", irrespective of how high you construct your defensive wall, a determined attacker will find a weakness which it can exploit. In many cases, this area of weakness has been revealed to be the user. A simulation tool such as Human Firewall takes the problem of phishing with a mature approach, do not just build a high defensive wall but also train your users through example on how to identify the threat.
Leveraging the human sense of suspicion against a social engineering problem like phishing, fights at the heart of its success. Where the weakness is the human, the solution can only be a human one