CNN has declared 2016 ‘Year of the Ransomware.’ In a recent report from Ponemon, 90% of US companies surveyed have been breached at least once. (http://www.computerworld.com/article/2509366/security0/90–of-companies-say-they-ve-been-hacked–survey.html) Criminal Phishing and Spear Phishing campaigns continue to be successful. They extort millions of dollars from government agencies, companies and non-profit organizations. Businesses need to know how vulnerable they are; and to define a metric, use internal Phishing campaigns to determine risk.
Companies are not disclosing specific internal phishing campaign results, however, anecdotal data is available for phishing campaigns that have been conducted from ISPs, government and software providers. None of the information herein is focused on spear-phishing, or targeted phishing. These were campaigns sent to mimic phishing the everyday/ average as performed by spammers.
Global Bank: JP Morgan suffered a data breach in 2015 due to a spear phishing campaign. Once the breach was contained the company mandated an internal phishing campaign to it’s 240,000 employees to determine employee awareness after training. The company suffered a 20% failure rate.
The Verizon 2015 DBIR report, looked at 20,000+ businesses using Verizon Internet Services, and determined 23% of users opened phishing messages and 11% opened the embedded attachments. http://www.verizonenterprise.com/DBIR/2015/
U.S. Government: The United States Post Service, under a government mandate to tighten internal security authorized an internal phishing campaign. 3,100 employees were targeted, all of which had completed information assurance training prior to the phishing test . USPS suffered a 23% failure rate. https://www.uspsoig.gov/sites/default/files/document-library-files/2015/IT-AR-16-001.pdf
Wombat Security, a security software provider, surveyed its users with the average organization having less than 1,000 employees. Information is broken down by industry to determine phishing success.
- Telecommunications: 24% failure rate
- Professional Services: 23% failure rate
- Government: 17% failure rate
- Insurance: 16% failure rate
- Retail: 14% failure rate
- Transportation: 14% failure rate
- HealthCare: 13% failure rate
- Entertainment: 12% failure rate
- Finance: 12% failure rate
- Other: 10% failure rate
- Energy: 9% failure rate
- Manufacturing: 9% failure rate
- Defense Industrial Base: 8% failure rate
- Education: 8% failure rate
- Technology: 8% failure rate
It only takes one employee who is not cybersecurity conscious (we call this cyber hygiene), to open the door to a ransomware attack. Every teammate needs to be trained and aware. Cybersecurity is a people problem, not just a technology problem.