Phishing Simulation Exercises Valuable: Official Study

The Office for Civil Rights recently release its first financial penalty to an organization that experienced a data violation after its staff responded to a phishing campaign.

The case lead to The University of Washington Medicine agreeing to a $750,000 fine to settle possible HIPAA violations. UWM had already had to cover large data breach resolution costs after experiencing a 90,000-record violation. The fine and data breach costs could have been avoided if staff members had been trained how to identify phishing emails.

The healthcare industry is now being focused on by cybercriminals, and phishing is the most commonly used way to gain access to patient data. Even when multi-million-dollar security defenses are utilized to keep networks secure, a single response to a phishing email can be all needed to compromise the records of hundreds of thousands of medical records. In the example of Anthem Inc., a sophisticated phishing campaign lead to the theft of 78.8 million subscriber records. Premera BlueCross also reportedly experienced its 11-million record data breach due to employees responding to phishing emails, and in 2014 the 4.5 million-record Community Health Systems data breach was also caused due to members of staff responding to phishing emails.

Phishme, a supplier of human-phishing defense solutions, recently released the results of an anti-phishing study carried out on 400 companies globally. The company has now broadcast over 8 million phishing emails as part of its phishing simulation exercises. Overall, 3.5 million enterprise employees from 23 countries around the world have had their phishing identification talents put to the test using the company’s phishing simulation exercises.

The 2015 Enterprise Phishing Susceptibility Report points to the benefit of conducting phishing simulation exercises on staff members. When it comes to phishing email identification, it would appear that practice leads to success. Employees can perfect their scam email identification skills with training, which will lessen the probability of them responding to a real phishing email.

Cyberattacks are carried out using a range of techniques, but the most common attack vector is phishing. The method is also hugely successful. Research shows that approximately 20% of phishing emails lead to a user falling for the scam.

When hackers formulate campaigns to appear as office correspondence, they are more likely to lead to the emails being opened and action being taken. There was a 22% click through rate from office-communication phishing emails according to the report.

Phishme data show that a staff member who responds to one phishing campaign is likely to fall for asubsequent campaigns. 67% of individuals who answered  a phishing email were repeat offenders. If individuals are  not aware of the telltale signs that an email or website is malicious, they will keep on making the same mistakes.

However, after participating in phishing simulation exercises, the chances of them falling for a phishing campaign rapidly falls. In fact, after four phishing simulation emails their likelihood to respond a fifth time falls by 97.14% on average.