On December 8th, the Cybersecurity & Infrastructure Security Agency (CISA) released a great phishing infographic about data collected, lessons learned and recommendations learned from simulated phishing attacks that CISA has done for organizations. It is a great, independent, unbiased infographic with a lot of good data and recommendations. If you and your organization follow the included recommendations, you will be better off.
Each finding and recommendation is linked with specific Cybersecurity Performance Goals (CPGs) from CISA’s larger 2022 Cross-Sector Cybersecurity Performance Goals. So, it is great to be able to go from an infographic recommendation to a more formal recommendation and report, all created by the U.S. government’s largest agency dedicated to protecting people and organizations against cyberthreats.
Here are some of the key findings and some related sources for more information:
Most Successful Phishing Topics
CISA reported that three most successful simulated phishing topics were:
- Financial-related security alerts or updates
- Organizational announcement
- User alerts and training updates
These are no surprises to people who follow the most popular phishing topics. KnowBe4 tracks the top, most frequently reported real-world and simulated phishing topics each quarter by our customers using our Phish Alert Button in our quarterly Top Clicked Phishing Email Subjects. Here is the latest version. You can see previous quarter results here.
Every security awareness training program should do their best to educate and mimic the most likely threats. KnowBe4’s quarterly infographic gives you that information.
How Many People Will Click on a Phishing Email?
CISA reported that one out of every 10 people who got a simulated phishing test clicked on the included link or downloaded the attachment. CISA does not share what percentage of employees open the phishing test and did not take a required action. But KnowBe4’s long-time data, known as the KnowBe4 Phishing by Industry Benchmarking report has shown that in the average organization, just under one-third of employees will open and interact with a simulated phishing test.
Just under one-third of employees being “Phish-proneTM” is an average across all organizations and industries. We saw many industries with Phish-prone Percentage rates above 50% and the lowest rate we found across 9.5 million users was 20%. If the lowest rate is one-fifth of employees being tricked by phishing, it is clear that every organization needs to make sure their employees are educated about social engineering and phishing.
Our data shows that if organizations do the recommended simulated security awareness training and simulated phishing testing that our customers can get their Phish-prone rate down to 5% or less.
And since social engineering and phishing is the most common ways that hackers and their malware creations are successful, moving your Phish-prone rate from 32% to 5% or less is one of the best defenses any organization can do.
Malware Is Getting Through
CISA reported that 70% of malware or links to malware were not blocked by network border protection services and 15% of all malware was not blocked by endpoint detection products. That is very useful information. First of all, endpoint detection products appear to be far more accurate than network-based protection products. That one fact might surprise people. Second, a lot of malware and malicious links are getting past all the automated defenses and getting to the end user. It is clear that your end users will see phishing attempts and malware and will be your last line of defense. All employees need to be trained in how to recognize social engineering and what to do once they have detected it…which is hopefully reporting it to IT/IT Security.
Most Employees Do Not Report Attempted Phishing Events
Unfortunately, CISA reported that only 13% of targeted employees reported the phishing attempt. This is a huge problem and risk. As CISA stated in their infographic, failure by employees to report attempted phishing attacks can prevent IT/IT Security from determining if the phishing attack is an isolated event or a bigger campaign that needs immediate remediation.
Employees need to be taught how to recognize phishing attacks and how to appropriately report them. We are big believers in the easy-to-use, free Phish Alert Button. Appearing as a little icon on their email client task bar, it is easy to highlight a potential phishing email and with one click, make it both go away and also report it to IT/IT Security. If you make reporting phishing easy, your employees will be more likely to do it.
Phishing Quickness
CISA’s data says that 84% of employees [who] took the bait and interacted with the simulated phishing attempt, did so within 10 minutes. This means that defenders have a very limited time to both recognize that a phishing event has gotten past their defenses, remove the phishing attempt and use other mitigations to prevent its spread.
KnowBe4 highly recommends our PhishER product. With PhishER, users report suspected phishing attempts using our Phish Alert Button where the email can be analyzed and automatically be marked as an email threat (e.g., spam, phishing, etc.) and let administrators see if the newly submitted attack is part of a larger threat. If so, administrators can use PhishRIP to quickly remove all other copies that may have gotten to other users and use PhishFlip to turn real phishing emails into simulated phishing tests to quantify how many of your users would have fallen victim had the real phishing email gotten to them.
5 Ways PhishER Saves You Time and Money white paper.
Use Phishing-Resistant MFA
CISA recommends using phishing-resistant multifactor authentication (MFA) when you can for logons. We certainly agree. KnowBe4 has been pushing phishing-resistant MFA for years and we have dozens of resources you can utilize, including these:
- KnowBe4’s Multifactor Authentication web portal
- All of KnowBe4’s free MFA content
- 12 Ways to Hack MFA webinar- 1-hour webinar on how to hack various MFA solutions
- Free KnowBe4 12 Ways to Hack Multifactor Authentication ebook - 41-page Hacking MFA ebook, covers 20 ways that MFA can be hacked, was the beginning source material for the larger Hacking Multifactor Authentication book
- KnowBe4 MFA Assessment Tool - Free, Multifactor Authentication Security Assessment tool. Answer a dozen or so answers to correctly describe your current MFA solution (or one you are considering) and get back a report detailing all the ways it could be hacked
- My recent blogs, "U.S. Government Says to Use Phish-Resistant MFA" and "Do Not Use Easily Phishable MFA"
- My List of Good, Strong MFA
- Phishing-Resistant MFA Does Not Mean Un-Phishable
Hacking Multifactor Authentication book (Wiley)
Book by KnowBe4 author, Roger A. Grimes, discussing over 50-ways to hack various MFA solutions. Starts with pointing out the strengths and weaknesses of passwords, details how authentication works, covers all the various MFA methods and how to hack and protect them, and ends with telling the reader how to pick the best MFA solution for them and their organization.
Automate Updates
CISA recommends that organizations update their software and firmware any time the vendor releases a critical security patch. Read this article to learn how to use CISA’s Known Exploited Vulnerability Catalog to improve your patch management strategy.
CISA Recommends DMARC
Every organization should enable DMARC, DKIM and SPF, the world’s three most common anti-phishing-domain-spoofing standards. If you are not sure what they are or how to implement, view KnowBe4’s free one-hour webinar on the subject.
Everything You Can Do to Stop Phishing
It is clear from CISA’s phishing infographic that training your employees in how to recognize and report social engineering and phishing is one the best, if not the best, mitigations that any organization can to do best reduce cybersecurity risk.
Here is the bare minimum you need to teach every employee.
If you are interested in everything…every policy…every technical defense…every best practice education hint…we can think of to best mitigate social engineering and phishing, try KnowBe4’s free Comprehensive Anti-Phishing Guide.
CISA’s phishing infographic lays out the facts on social engineering and phishing. Phishing is one of the most likely ways that hackers and their malware creations can sneak into your environment. Many untrained employees will open any phishing email they receive, and many will click on the embedded links or download the attached malware. Network protection defenses are very unlikely to stop it and endpoint detection products are far from perfect. The single best mitigation that every organization could work on to improve is security awareness training for their employees.