SS-RPRT-010: Proofpoint's State of the Phish Report 2021

Episode 10 May 16, 2021 00:40:16
SS-RPRT-010: Proofpoint's State of the Phish Report 2021
Security Serengeti
SS-RPRT-010: Proofpoint's State of the Phish Report 2021

May 16 2021 | 00:40:16

/

Show Notes

In this episode, we analyze the 2021 Proofpoint State of the Phish Report, and discuss some of the more interesting findings.

Report Download (with personal information disclosure)

As always, the views and opinions shared on the podcast do not reflect the views and opinions of our employers.  

If you found this interesting or useful, please follow us on Twitter @serengetisec and subscribe and review on your favorite podcast app!

View Full Transcript

Episode Transcript

[00:00:14] Speaker A: Welcome to the security Serengeti. We're your hosts, David Schwinniger and Matthew Keener. [00:00:19] Speaker B: We're here to talk more about cybersecurity. Each episode will focus on a specific topic or two of interest to the community. And today we will be talking about the proof point. 2021 State of the Fish report. [00:00:33] Speaker A: The views and opinions expressed in this podcast are ours and ours alone and do not reflect the views or opinions of our employers. In fact, they'd probably be pretty mad if they heard. Never mind. [00:00:43] Speaker B: It's a good thing they're not listening. But all phishing and complaints emails can be submitted to our Myspace page. [00:00:50] Speaker A: Yep, it's up to date. That's where you can find all the. [00:00:52] Speaker B: Latest information on everything. [00:00:55] Speaker A: Actually, hold on, I have to check. Does Myspace exist? Does Myspace still exist? [00:01:01] Speaker B: Yeah, it does. [00:01:02] Speaker A: Still there. [00:01:03] Speaker B: Yes, it does. [00:01:03] Speaker A: It doesn't look the way I remember it. It's all about music. Sign in with your Facebook account to find friends who are already on Myspace. [00:01:15] Speaker B: Oh, that's awesome. [00:01:16] Speaker A: Things have changed. All right, proof points. [00:01:19] Speaker B: Data. [00:01:19] Speaker A: The fish report. First things first. Let's talk about data quality, because after the last report we reviewed once, we didn't really talk about the data quality until we got to the end. And I was kind of like, oh, this is maybe not such a great report, but in this case, they have four sources. Two of the sources are internal to them. They have 60 million simulated phishing attacks through their phishing training platform and 15 million reported emails. So that's a pretty good sample size for those. And then to add some flavoring context, they have two surveys, around 3500 working adults in seven countries and 600 IT security professionals in those same seven countries. I think those sample sizes are a little small, to be honest, especially the 600 IT security professionals spread across seven countries. [00:02:06] Speaker B: Well, I'm wondering what percentage of, if you remember the last report we talked about, they got 600 out of 17,000 requests. [00:02:17] Speaker A: Yeah, they only had like 6% response rate or something. [00:02:20] Speaker B: Right. So I'm wondering if this 600 is. [00:02:22] Speaker A: Out of the same. [00:02:24] Speaker B: They sent thousands and thousands of surveys out and only got 600 back. [00:02:28] Speaker A: That's possible, but definitely something to keep in mind as we go through any of these that talk about survey results. The survey might be a little bit low. All right, so section one was on organizational items, and the very first thing that I wanted to talk about is 57% of respondents said that their organization experienced a successful phishing attack. And I have a one word response to this, and that word is lies. There is no way that only 57% of respondents and their organizations experienced a successful phishing attack. That number is 100%. And what we have here is we have 57% of people detected it, and 43% of people have not yet found it. [00:03:11] Speaker B: So blissful ignorance. [00:03:13] Speaker A: Ignorance is not a strategy. Hope is not a strategy, although I guess technically hope is not a strategy, but I guess ignorance is a strategy. [00:03:22] Speaker B: Well, I think we've heard that before about companies not wanting to know that they're compromised because then they can feign ignorance. [00:03:31] Speaker A: Yeah, I've never had a manager or CISO or anyone tell me that explicitly, but I've definitely gotten the feeling of that in the past where, you know, if we were doing these kinds of detections, if we had these kinds of tools, and I guess it depends on where your incentives are. Definitely, people talk about how the CISO is the chief scapegoat or whatever. The primary, the first one off, if you get a breach, I can definitely see where their incentives are aligned towards no breaches, no matter what. Next metric they mentioned was the impact of successful phishing attacks. So interesting. The two that I found the most interesting here, a couple that are interesting, they said that 52% of successful phishing attacks resulted in credential or account compromise. I don't know how other people do it, but I am very much of the opinion that if somebody gets a successful malware attack, you have to assume their credentials are compromised too. I mean, the malware has the ability potentially to read the keystrokes and or the mimicats could put mimi cats on there or just read the credentials out of memory. [00:04:44] Speaker B: I think they're probably limiting that to saying that they input their credentials into a site which was not controlled by the organization. [00:04:54] Speaker A: I don't think they are, because if you add up all the percentages, 60 plus 52 plus 47 plus 29 plus 18, get 107, 100, and 5988, like 206%. [00:05:10] Speaker B: Even in new math, I don't know. [00:05:13] Speaker A: How to do that. My daughter asked me to help her with her math homework, and they literally could not. I was like, I don't understand any of this. How does math change? So it's funny, my wife ended up showing me how it worked because she's a school teacher, and I was like, oh, this is actually easier. I just had no idea how to do it. Anyways, I definitely think there's multiple things on here that's just interesting to me that they didn't assume credential compromise. The other interesting thing I saw in here is that ransomware infections are 47% and other malware infections are 29% for a grand total of 76% of the successful phishing attacks they saw resulted in malware infections. I don't know how that tracks for other people and other companies. Just in my experience, malware infections have been successful. Malware infections have been smaller than successful credential phishing. Maybe my experience has been atypical. [00:06:05] Speaker B: Well, later on in the report, they have a chart in there which indicates that of the training types of phishing that they conducted, the attachments were more successful than the URL. [00:06:21] Speaker A: Yeah, I do remember that they said attachments had a 20% failure rate versus yours held like a 12% failure rate. [00:06:28] Speaker B: I think it's success rate. [00:06:29] Speaker A: 20% success rate. Sorry. Well, it's a failure on the part of the person who opened it. [00:06:34] Speaker B: Yeah, you shouldn't have opened it. Obiwan perspective problem. [00:06:38] Speaker A: The list here is 47% ransomware infections and 29% other malware infections for grand total of 76% malware infections. As an impact of successful phishing attacks, this blows my mind. Behind any reasonable modern phishing protection system, they're usually really good at spotting malicious code coming down. [00:07:00] Speaker B: I wonder if it's possible that they're including ransomware as a secondary vector in that the fish leads to the ability to get ransomware in, not that ransomware was part of the fish. [00:07:14] Speaker A: Yeah, I don't know. You're right. Since these numbers add up to more than 200%, there's no guarantee. It does say other malware infection, though, which does kind of imply to me. [00:07:23] Speaker B: Yeah, that's true. [00:07:25] Speaker A: Or it could be, like you said a minute ago, that we cut out. I'm trying to give you a chance to get credit for this. [00:07:31] Speaker B: Well, wait a second, though. What it specifically states, though, is impact of phishing attack. So if you get a fish which causes you to do x, and the x is the impact, the actual fish itself is not where the impact is felt at. It's one or two steps removed. So that might be what they're considering here. Direct one. [00:08:01] Speaker A: Yeah. The second stage is a banking trojan versus ransomware. [00:08:04] Speaker B: Right. [00:08:06] Speaker A: And as you said, it may be that I can't believe that these numbers came from someone who had a decent email vendor. It may be they don't have any email protection at all. The surveys that were mentioned in this report are for third party surveys, so there's no guarantee or even assumption that they're using proofpoint. They may be using other email filtering, or they may be using no email filtering, which makes more sense to me. [00:08:33] Speaker B: It's also possible they don't have it configured correctly, which never happened. [00:08:40] Speaker A: Any rule on the end of the. Or whatever the equivalent is for email gateways? Yeah. 18% resulted in financial loss or wire transfer fraud, which I guess that's less than I expected, but I guess that makes sense. If the vast majority of them result in malware infection, then the business email compromise stuff has to be a smaller part. [00:09:00] Speaker B: Glad you stated that acronym out loud. [00:09:04] Speaker A: What? Doesn't everybody use WTF as the acronym for wire transfer fraud? That's going to be my greatest and most lasting accomplishment in my current place of work. [00:09:16] Speaker B: Yeah, that's nice. You put that in a lot of reports. [00:09:22] Speaker A: It's everywhere. I was not. [00:09:28] Speaker B: Oh, you can have a report. State of the WTF. [00:09:36] Speaker A: All right, so ransomware, since we mentioned there, that was one of the higher percentages there. I could not believe some of these numbers, although when I told somebody else about this today, they laughed in my face because they apparently knew these numbers and believed them. But the number was roughly the same as last year for organizations that paid the ransom, 33% paid the ransom in 2019, 34% paid in 2020. 60% of those people got their access back the first time. 32% got additional demands for more ransom, but eventually got their access back. This is a massive increase over 2019. 2019 was 2%. So it's a 16 time increase over 2019 for having to get additional demands, which, yeah, you pay, and then they're going to be like, you get to pay again, or you don't get your rent, or you don't get your stuff back. [00:10:31] Speaker B: It was also a large increase over the overall ability for organizations to get their data back. Even with that second request, though. [00:10:38] Speaker A: Yeah, 2019, the total was 29% of people did not get access after paying in 2020, only 7% didn't get access. So, yeah, the bad guys got a lot more honorable. [00:10:50] Speaker B: Well, I won't call it honorable, but honest. They followed through on their commitment. [00:10:57] Speaker A: Trustworthy? [00:10:59] Speaker B: No, you're failing at the synonyms here. [00:11:06] Speaker A: If you can't trust the villains, who can you trust? [00:11:09] Speaker B: The government, obviously. [00:11:12] Speaker A: Yeah, no, that's definitely a good point. I would love to do the explanation to your board after you paid hundreds of thousands or possibly millions of dollars to a ransomware and then you didn't get anything back. I would just love to see the conversations that happen there. So the interesting thing here that I saw was the numbers were divided by threes almost perfectly. 34% paid the ransom, 32% said they were infected, but they didn't pay. So slightly more than half of people who got infected paid, and 34% said they did not get a ransomware attack. That seems low to me, that two thirds of the people were ransomware last year out of the companies. I don't know if this came from the 600 it people or the 3500 professionals, but two thirds of the companies had a ransomware attack last year. That's quite a bit. [00:12:08] Speaker B: What were the numbers for 2019? I don't have that chart right in front of me. [00:12:11] Speaker A: All right, numbers in 2019. 33% of organizations agreed to pay a ransom in 2019. Does it say how many didn't have? It doesn't have a comparison for the ones who. There we go. Oh, no. 68% of us organizations say they paid a ransom in 2020. Twice the global average. Son of a bitch. This is not where we want to be leading the pack. [00:12:36] Speaker B: Well, if you look at the overall numbers for the United States, they're almost universally crappy. [00:12:41] Speaker A: Yeah, I saw that the French were leading in a bunch of these. 14% of german organizations refused to pay a follow up ransom. Flipping good for them. Wow. I don't see the numbers for 2019, unfortunately. Only where they wanted to make a specific comparison. [00:12:55] Speaker B: Right. Because I'm wondering if it was similar thirds in 2019 as well. [00:13:04] Speaker A: That still seems real high. Although I guess it doesn't really discuss the size of the ransomware attack, like whether it was a single machine or your entire server farm or whatever. [00:13:15] Speaker B: Well, it's not really relevant if you're talking about just the fact that they were able to get in or they were successful or not. The scope, I'm not sure, is really necessarily that important. [00:13:29] Speaker A: That's fair. It's a depressing indictment of the state of the information security industry, because this. [00:13:35] Speaker B: Is just talking about the phishing attack vector itself. It's not talking about other defense and depth strategies where those. Those scales might be important because if you were, say, successfully phished, but because you had really good network segmentation, your ransomware was secluded to only the workstations in this one department. That would be a different story than I think, what this report is conveying. [00:14:13] Speaker A: Got you. All right. Well, the next section is on attack simulations. They really kind of jammed a bunch of stuff in here, didn't they? There were some entry. This is where, for those of you following along at home, the one that David mentioned earlier where attachments were 20%, attack failure rate or success rate, depending on which direction you're looking at it. URLs were twelve and data entry was four. That makes sense. It's a lot more work than the other ones. And that's interesting. But I think the most interesting part of this is that they had a list of what they called trickiest themes, which they said got nearly 100% of people to click on. And a lot of them were kind of what you'd expect, overdue invoice, stuff like that. But there were a couple of real interesting ones on here. For example, free Netflix was the one at the top of their list. Turns out everybody wants themselves some free Netflix. Number two, vacation contract rental. I'm kind of surprised about that one. How many people, if that came to my work email, I don't know that I would open it. How many people use their work email for their vacation information? Too many, apparently. Actually, that's a little bit later, where people talk about what they do on their systems. We'll talk about that in a bit. Spotify password update. That kind of makes sense. Dress code violation. Again, you're working off of the fear that they did something wrong. I can see where that one would be pretty convincing. And they said that Covid themed tests got nearly 100% click rate as well, which makes sense given the last year. [00:15:44] Speaker B: Actually at a different organization I worked for, one that we had really good success with was the email quarantine release digest. But of course that also requires an attacker to know something about the inside of the way your organization works. That's a tool that you're leveraging. [00:16:07] Speaker A: Yeah, but I don't know the way they work where they just send it out to everyone. They're going to get some hits. What's interesting to me about this, looking at these trickiest themes, I review phishing email on a regular basis and I've seen almost none of these. I've seen a couple Covid themed ones. I see overdue invoice pretty commonly, but I haven't seen anything around free Netflix. I've never seen vacation contract rentals. I've never seen Spotify password updates, although those probably go to personal emails. I've never seen dress code violation emails. [00:16:36] Speaker B: There was one they didn't mention in here, which is not on this list, or not in the top five, which I have seen multiple times in multiple places, is the UPS delivery notification. Yeah, that one's been fairly popular and relatively successful for a number of years now. [00:16:56] Speaker A: Yeah. Especially. You know what, it's interesting, I've noticed UPS has actually started sending me more notifications now about that. Hmm. [00:17:06] Speaker B: Yeah, actually I have as well. It's kind of even. I don't ever click on anything within them, but I never even thought about that being a phishing attack. Just kind of sad. [00:17:22] Speaker A: Yeah. Well, again, it's funny, the ones that I see are all around office 365. That seems to be where the attackers are really focused right now, which again makes sense, but it's so much easier, more easily identifiable at this moment. All right, the next section was tax. No, benchmarking. Benchmarking against the industry. So I'm just going to hit on these kind of quickly. I just found it interesting that engineering was the worst industry at 16% failure rate, click rate, and hospitality, legal and entertainment media were at nine. Frankly, the legal one kind of makes sense, as I imagine they're pretty big targets and they're probably well trained at this point. Hospitality and entertainment media were interesting. I don't know why those were also the best, although frankly, hospitality, I guess a lot of people don't have email addresses. [00:18:14] Speaker B: Well, what was the time frame for this? Because if you're talking about 2020, hospitality overall had decreased productivity. [00:18:25] Speaker A: You're right. Yeah. This is all of 2020. [00:18:30] Speaker B: Yeah. So that might be why hospitality is down. That would be just my guess, yeah. [00:18:36] Speaker A: The overall average failure rate for all the industries was 11%, which I think tracks kind of with what we've seen before in the past, where there's always some people that click, no matter how dumb the fishing, no matter how clever it is, you always have a population of people that just always click every time a fish goes out. [00:18:54] Speaker B: Yeah, I'm wondering if there's any. I wish I would have collected these statistics at other places where I worked, where we had or at least remembered the statistics. I think we did collect them. Where your organization receives email, and then you implement those subject line markings that indicate that it comes from external and how that affects the outcome of the click through rate. And one of the things I was just thinking about, as far as the attachments being more successful than the URLs being successful, is that. Does it make sense, and I have my own opinion on this, which may vary from other people, about does it make sense to allow your phishing simulation to conduct actions or take actions which would normally be prevented by your existing security suite? [00:19:53] Speaker A: Yeah, there's always that question about, are you measuring how well you're protected, or are you measuring how susceptible people are? [00:20:01] Speaker B: Right, so if you're using the attack simulation and you have that external tag in your subject line, is it getting that tag or are you whitelisting it to allow it to be more successful? Because the question is really, what is your expected outcome from your tax simulation? Are you testing just testing users, or are you expecting to test more than that, which is including some of your defense in depth or your response? Because if you consider that someone is always going to click like you said, and I think it's really valuable to ensure that your phishing response is tested as well as simply user response to the simulations. [00:20:49] Speaker A: All right, well, they also have it listed as well by department rates. And it's interesting. The worst ones were maintenance and facilities. Maintenance at 15%, facilities at 17%, and the best one was purchasing at 7%, which is, again, awesome because I bet they're well trained at this point. After a couple of years of this. [00:21:09] Speaker B: Well, and as well, that's a really risky. That's where the business email compromises and everything. That's where a lot of that's taking place at. So that's nice to see those numbers being lower than average. [00:21:22] Speaker A: It's less exciting if you look over the rest of the numbers. Accounting is at 10%, sales is at 11%, so security is at 12%. Oops. [00:21:31] Speaker B: We know what we're doing. [00:21:34] Speaker A: Yeah, definitely do. All right, I kind of want to jump to the. I don't know why they had this all the way at the end, but they talk about consequence models all the way at the end. I feel like it should come more carefully or more appropriately right after they talk about the number of failures, but I'm going to just jump to this r1 quick. It was very interesting to me because this is definitely something that I've had many discussions with in the past on, like, how far? Because we would joke about like, oh, if you fail a couple of phishing email tests, we're going to take away your computer and give you an etch of sketch. Ha. But there was a variety of compromises here and a surprising percentage of companies pursued them. So at the top, and as expected, 61% of companies did counseling from either a member of the Infosec team or 54% counseling from the manager. Right, that sounds for repeat offenders. Go talk to them. Be like, hey, what's going on? And you guys need to keep an eye out for this. 52% gave, as a consequence, an impact to the employee's yearly performance reviews. So that's probably a financial impact if you move down. I don't know how every company does their performance management, but that usually controls your salary, right? [00:22:56] Speaker B: Or your raise at least will impact bonuses, I'm sure. [00:23:00] Speaker A: Yeah, that is interesting. The next one down, 43% had HR enforced disciplinary actions. That actually seems to me like that would be less impactful than the performance review. One because one's monetary and one's maybe not. But here's where we get interesting. 36% of companies or respondents, I should say respondents, had removal of access to systems. How do you keep doing your job if you don't have access to systems anymore? [00:23:28] Speaker B: Yeah, that seems like you're really impacting the business at that point. [00:23:34] Speaker A: Yeah, I mean, we've dreamed about it, right? We've dreamed about so and so that clicked on every single phishing email last month. And you just want to remove their permissions and just don't let them do anything. But you can't because they're hired for a job. I don't know. That's interesting to me. It makes me wonder if maybe they just removed like admin access or something for a period of time. But again, still, if they needed admin access to do their job, I don't. [00:23:58] Speaker B: Know, you'd have to really get some sign off on that. [00:24:02] Speaker A: Yeah, 36%. Next one was 26% monetary penalty. I assume that means they docked their wages. That again, seems interesting, which I don't know because some of the 18% of the phishing attacks resulted in money lost to the company. I don't know how I feel about docking wages on the people that are clicking on those links. [00:24:24] Speaker B: I'm wondering what they're talking about. For repeat offenders, I assume there's a threshold. [00:24:29] Speaker A: Three, four, five, whatever. [00:24:32] Speaker B: Because one thing you don't see on here at all is remedial training. [00:24:36] Speaker A: Yeah. Anyway, so I'll save the last one for best. 20% of the organizations that use consequence models terminated people for repeat offenders. I guess technically it says this is consequences for repeat offenders. This does not say consequences that have been applied. So maybe it's on their list, but maybe they haven't done it either. That's a possibility. [00:24:55] Speaker B: Oh, yeah. I hadn't considered that. [00:24:58] Speaker A: Yeah. I was kind of going into this assuming that these were things they had done in the past, but actually I think this is things that are on their list of potential. How many failures do you have to have there? [00:25:09] Speaker B: These are like policy statements. [00:25:11] Speaker A: Yeah. I don't know, actually. How do you think this should go? If somebody screwed up one of these emails, like a business email compromise and lost the company a half a million dollars, is that fireable? [00:25:25] Speaker B: Don't know. [00:25:26] Speaker A: I think it depends on if they follow the process for sure. Like if you didn't follow if it was one of those ones where it's, hey, we got a new bank account. There's an audit going on in our old bank account. Here's the new bank information. Just pay here. And you guys have a process that says that you have to do, like, an out of band confirmation, and you don't do that. I can see that being a terminatable offense. I don't know if terminatable is the right word. [00:25:52] Speaker B: Yeah. So failure to follow an established process which would have prevented the action makes sense. Those are the kind of things, though, that you really have to ensure you have executive buy in, because I've seen more than once where you have an established process for security reasons and you're following that process and the executive leader ignores it, or they attack you, usually verbally, not necessarily physically attack you for following the process. I've had to defend employees from executives or spoken on behalf of employees who are being verbally abused by executives for following a security process. And it's not fun. [00:26:46] Speaker A: And they're the ones who should know better, right? [00:26:50] Speaker B: You'd assume so. But a lot of the time it's like, do you know who I am? It's like, well, kind of can be challenging without senior leadership really going to bat for you in some circumstances, yes. [00:27:08] Speaker A: If your manager is not willing to stick because that's what your manager should be doing, that's a big part of their job, is making sure that you're clear to do your job and they're taking that heat for you. All right, section four, threat level intel. Very attacked people. I don't think there's anything interesting here. [00:27:22] Speaker B: Very attacked people. So depending on your organization, these are going to be different groups of people. And like, say, for instance, financial services, a very attacked person might be a customer service representative or a member service representative. Because if you think about it, it makes sense for those people to be attacked because they're the ones who deal with customers and can do all the things in order to support the customer. So there's a big risk there that they can either expose data or perform transactions that lose the company or their customers money. So I think a lot of people misconstrue very attacked people with vip, or they assume vips will be the very attacked people and not collecting or looking for metrics to identify who those attacked people are or are not doing threat modeling in order to identify where your risks are at or where you want to have the greatest amount of protection. Because if you're in a financial services organization and your customer service representatives can log into your banking application and they can move money around, I would say that's pretty important to be able to protect those users, versus a mid level manager in the accounting department, which actually has no ability to affect the movement of money around the organization. And when you're talking about financial services, will have a different set of people who are most likely to be attacked, versus a manufacturing company, where their valuable data is around their CAD products or other intellectual property, versus the ability to move financial instruments around or interact with financial instrument sense. [00:29:35] Speaker A: Yeah, I definitely have seen in the past where there are definitely people who get attacked more often than average, but those people tend to be better at spotting just because they get lots and lots of practice. [00:29:47] Speaker B: Right. And I think this is where it comes in, where you need to really be collecting the statistics around this information, around who's getting fished and who's reporting the fish and the results of their fishing training. So it might be that if you actually designate certain departments or groups as at high risk of attack, or who are actually get fished a lot to relate that data with your attack simulation data to see if they need to conduct phishing training more frequently. So maybe your fishing training is quarterly for everybody, but maybe one group you want to do monthly because of the risk there. [00:30:43] Speaker A: All right, well, speaking of training, I want to hit on this one last thing and then we can go ahead and finish things off with the conclusion section, the next part. Under the security awareness training, there are some interesting percentages on personal activities performed on work devices. Now, I'm not saying you shouldn't do personal stuff on work devices. If you're at the office all day or you're working from home and you're working twelve, you've got your work computer in front of you 1216 hours a day, as I totally do, boss. If you're listening, you're going to have to use it for personal activities sometimes, and that's fine. But what I found really interesting here was that I think a lot of people are lying because numbers, for example, only 40% of people said they use their work computer to read news stories. Really, only 35% use it to research things, shop online, 30% stream media, 29%. Like all those seem fine to me. The ones that seem kind of iffy to me are check personal email, and that's probably because I've done quite a bit with phishing in the last decade or so, and that makes me really leery. I've definitely seen cases in the past where somebody's infected themselves because of something they got on their personal email and we didn't have any record of it. We had to go back and look and be like, oh, they were [email protected] right before this happened. So that's adding an additional threat vector, the post, to social media I'm not a big fan of, but maybe that's just because I hate social media. So you might be able to ignore that. The 12% who play video games on their work devices, that one was, I thought, a bridge too far. I'm not sure why. I don't know why. I think that streaming media and shopping online is fine, but playing video games is not. So what do you do on your work laptop, David? Just kidding. I do work, oh, 100% of the time. I don't touch anything. Anything else. You know what? I don't even stream media either. Like, you can do most of this on your phone too. Maybe that's why so few percentages were saying they do it on there. I mean, I can put on headphones and use my phone and check Amazon and all this stuff. Heck, I can play video games. [00:32:42] Speaker B: I think one of the things here that might have an impact on these numbers, which don't actually come out in the survey, is the proxy prohibitions, which are in place of the organization. So maybe they can only do, or so many people can only do x because they're actually technically prohibited from being able to do that. There's a lot of places, well, there are many places that block personal email, so that number could be higher, but because of other technical things, it's not. [00:33:14] Speaker A: Yeah, streaming media. I'm sure that most companies don't want you streaming Spotify all day on your work network or your VPN. [00:33:21] Speaker B: Right. And now that a lot of people are working from home, if you have a hub and spoke design, a lot of that could be blocked simply for bandwidth concerns. [00:33:32] Speaker A: Exactly. So the actual more interesting thing they had in here is the activities employed allow others to do on their device. And I think that they specifically frame this in a working from home sense. I'm betting this is spouses and children, which makes it not quite as weird. I don't let my spouse or child or children touch my computers at all. [00:33:52] Speaker B: No. [00:33:54] Speaker A: I guess if my wife asked me to use my computer, I'd let her, but I wouldn't ever ask to use hers. I don't know. [00:34:03] Speaker B: Having said that, I know in which situations that takes place because I've known people who are in this situation is they use their work computer as their personal computer because they don't own another one. Surprisingly enough, that is the case. Sometimes I find a computer for so. [00:34:23] Speaker A: Cheap these days, like $300 $150 gets you a chromebook. Interesting. Yeah, I don't know. So anyways, the numbers here, 33% let somebody else check their email 20% read news stories 26% post to social media 11% play video games. [00:34:42] Speaker B: That's because of the install. Probably that number would be higher if they had local admin. [00:34:47] Speaker A: Yeah. What, you mean you don't every company? [00:34:51] Speaker B: All right. [00:34:52] Speaker A: And with that, I think that's mostly amusing and interesting stuff. And also I'm running short on time. We keep saying we're going to make these 30 minutes and we never have, and perhaps one day we'll get that efficient. So section six, conclusion, take notes, take action. Do you have any conclusions for us, David? [00:35:06] Speaker B: I think one of the conclusions here is that you need to make it easy for your employees to respond to phishing attacks, whether they be simulated or actual. So having that button in your mail client to report phishing I think is huge. Not only just to get those numbers up or to make it easier for people to report that, but also in a response scenario to ensure you get those headers and stuff from those potential phishing actions. And when we were talking about earlier, the top five trickiest email simulations, those are great if you want to be tricky, but what it would be more valuable is taking the data you get from your phishing response actions and merge that with your attack simulation. So if you're getting certain types of fishes, you get a lot of attachments or you get a lot of UPS package delivery phishing attacks, take those and feed that into your training so that when your training emails go out, they have some correlation to the attacks you're actually seeing at your organization. And if you have your very attacked people and your vips clearly identified, work with. If you don't actually manage the training, work with your training team to have training purposefully designed or more targeted for those individuals. Because it's a matter of kind of the 80 20 rule. 80% of your risk is in 20% of your people. So maybe you spend additional training time focusing on that 20% versus the other 80% because that's where most of your risk is at. And I know I've discussed this with training people before, but I haven't actually been able to get it successfully implemented is have some kind of rewards program or something like that that highlights the success of the folks within your company who are responding to your phishing training. Highlight a team or something like that, with challenge coins or t shirts or something like that, saying this department successfully reported our phishing attack simulation 90% of their team reported that or something like that. And try to get more involvement from your employees. And if you're going to do that, you need to make sure the entire organization is aware that that's taking place. Some places I've been, the leaders of those teams may know, but all the employees don't know. So they don't even realize that they're the worst department in the entire organization as far as their attack phishing simulation. And actually, I proposed one time to training, and I can understand why this probably didn't go over so well, is that we have two rewards. One for the team that did the department that did the best and one that did the worst. And the worst team would get one of those talking fishes that goes on the vp's door and he would have to keep that for a quarter until we reran the numbers. But obviously that suggested not go over too well because we can't highlight non success. However you want to put that. [00:38:58] Speaker A: Yeah, you can definitely do like a trophy that gets handed and passed between department heads. Make it something they can show off. Definitely something I've seen done. [00:39:08] Speaker B: You could tie that into all hands meetings or something like that. You do an annual or quarterly all hands, make a big show of the passing of that trophy or something like that. [00:39:21] Speaker A: All right, well, thanks for listening to the security Serengeti podcast. Follow us on Twitter at serengeti sec. Download and listen from your favorite podcast application. And we'd love to see some reviews. We have hundreds of listeners at this point in time, and nobody has left us a review that I've noticed. I like to think they'd email me or something if we got a review. That'd be cool. [00:39:44] Speaker B: That'd be cool. [00:39:44] Speaker A: Be cool. [00:39:46] Speaker B: On the bright side, we haven't got any death threats either. [00:39:50] Speaker A: Does one come with the other?

Other Episodes

Episode 36

November 21, 2021 00:39:41
Episode Cover

SS-SUBJ-36: Breach and Attack Simulation

In this episode, we discuss one of our favorite tools to come out, Breach and Attack Simulation.  I hope you can tell we both...

Listen

Episode 71

August 01, 2022 00:37:50
Episode Cover

SS-NEWS-071: Insurers Find Yes/No Questions Not Enough to Determine Security

In this episode, we discuss INSURANCE! AGAIN!  It's seriously the most interesting part of Cyber right now.  Travelers Insurance is attempting to get a...

Listen

Episode 86

November 15, 2022 00:45:21
Episode Cover

SS-NEWS-086: Solarwinds facing Lawsuit and Gov Action

Matthew ran a little late this weekend, so apologies for being a day late deploying the latest security news into your earhole! We talk...

Listen