Verizon has released its Verizon 2015 Data Breach Investigations Report. We created this infographic from the report:
At the conclusion of a comprehensive discussion of phishing, Verizon observes:
Taking measures to block, filter, and alert on phishing e-mails at the gateway is preferred, but no technological defense is perfect, which leads us straight to…people.
There is some hope in this data in that three-quarters of e-mails are not opened or interacted with. We wondered if there was a way to bump that number up (e.g., by giving users a quick way to flag potential phishes and become a detective control), so we asked Ellen Powers, The MiTRE Corporation’s information Security Awareness Program Manager, about the effectiveness of making users part of the active defense against phishing. She noted that “MiTRE employees, our human sensor network, detect 10% of advanced cyber attacks that reach employee e-mail in-boxes.”
Lance Spitzner, Training Director for the SANS Securing The Human program, echoes Ellen’s sentiments, noting that “one of the most effective ways you can minimize the phishing threat is through effective awareness and training. Not only can you reduce the number of people that fall victim to (potentially) less than 5%, you create a network of human sensors that are more effective at detecting phishing attacks than almost any technology.”
The only problem with this human sensor network is that in operational environments people do a poor job of identifying bogus emails. MITRE’s own research found that training is ineffective. This is just like the problem of counterfeit money. Nobody wants to accept fake money, but you can’t be a Secret Service Agent doing forensic examinations of every Federal Reserve Note you handle — any more than you can be a forensic engineering testing every email header, link and attachment for the hundreds of emails you process every day. In order to help everyone identify real money, and make it hard for bad guys to pass fake money, the U.S. Government puts easy to recognize security features in money. These security features provide the tool that everyday users of money can use to avoid fake money. A similar tool is available for email — SP Guard from Iconix.