2020 phishing attack landscape and industry benchmarking
play

2020 Phishing Attack Landscape and Industry Benchmarking The data - PowerPoint PPT Presentation

Dec 15, 2023 •209 likes •581 views

2020 Phishing Attack Landscape and Industry Benchmarking The data you need to know Perry Carpenter Joanna Huisman Chief Evangelist & Strategy Officer SVP Strategic Insights & Research KnowBe4, Inc. KnowBe4, Inc. Perry Carpenter

  1. 2020 Phishing Attack Landscape and Industry Benchmarking The data you need to know Perry Carpenter Joanna Huisman Chief Evangelist & Strategy Officer SVP Strategic Insights & Research KnowBe4, Inc. KnowBe4, Inc.

  2. Perry Carpenter Chief Evangelist & Strategy Officer KnowBe4, Inc. Joanna Huisman SVP Strategic Insights & Research KnowBe4, Inc.

  3. About KnowBe4 • The world’s most popular integrated new-school Security Awareness Training and Simulated Phishing platform, over 32,000 customers worldwide • Founded in 2010 • Recognized as a Leader in the Gartner Magic Quadrant for Computer-Based Training (CBT) with the highest and furthest overall industry position for ability to execute About KnowBe4 and completeness of vision. • Recognized as a Leader in the Forrester Wave for Security Awareness and Training Solutions with the highest overall industry position. • Our mission is to train your employees to make smarter security decisions so you can create a human firewall as an effective last line of defense when all security software fails… Which it will! 3 3

  4. The question every executive asks…

  5. 1. The phishing problem 2. Phishing benchmark data by industry Agenda 3. International phishing benchmark data by region 4. Actionable tips to create your “human firewall” 5

  6. 1. The phishing problem 2. Phishing benchmark data by industry Agenda 3. International phishing benchmark data by region 4. Actionable tips to create your “human firewall” 6

  7. Cybercriminals rely on phishing because it works… 2019 Phishing By Industry Benchmarking Report A C C O R D I N G T O V E R I Z O N ' S P 2 H 0 I 1 S 9 H D I A N T G A W B A R S E A T C H H E # I N 1 V T E H S R T L E I G I N A T A K A T E I O D C N T T O I O R E S N P O U O C S R I T A E , L D E I N N G S I U N E C E C R E I S N S G F U A L N D B M R E A A L C W H A E S R E A T T A C K S . INTRODUCTION Every security leader faces the same conundrum: even as they increase their investment in sophisticated security orchestration, between effective technology and clever attack methodologies. Yet An organization’s PPP indicates how many of their employees are there’s an overlooked layer that can radically reduce an likely to fall for a social engineering or phishing scam. These are organization’s vulnerability: the employees who might be fooled into opening a file infected with malware or transferring company funds to a fraudulent offshore bank account. A high PPP indicates greater risk, as it According to Verizon’s 2019 Data Breach Investigation Report, points to a higher number of staff who typically fall for these phishing was the #1 threat action used in successful breaches scams. A low PPP is optimal, as it indicates the staff is linked to social engineering and malware attacks. These criminals security-savvy and understands how to recognize and shut down successfully evade an organization’s security controls by using clever phishing and social engineering tactics that often rely on The overall Phish-prone percentage offers even more value when methods are designed to persuade staff to take steps that provide placed in context. After seeing their number, many leaders ask questions such as “How does my organization compare to others?” and “What can we do to reduce our Phish-prone percentage?” Each organization’s employee susceptibility to these phishing attacks is known as their Phish-prone™ percentage (PPP). By 7 KnowBe4, the world’s largest Security Awareness Training and translating their risk into measurable terms, leaders can quantify Simulated Phishing platform, has helped organizations reduce their breach likelihood and adopt training that reduces their their vulnerability by training their staff to recognize and respond human attack surface. appropriately to common scams. To help companies evaluate their PPP and understand the implications of their ranking, KnowBe4 conducts an annual study to provide definitive phish-prone benchmarking across industries. Categorized by industry vertical, organization size, and the amount or frequency of security awareness training, the study reveals patterns that can light the way to a stronger and safer future.

  8. the Cyber Kill Chain Attackers generally follow these steps to compromise an organization 8 http://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html

  9. 1. The phishing problem 2. Phishing benchmark data by industry Agenda 3. International phishing benchmark data by region 4. Actionable tips to create your “human firewall” 9

  10. All 17,000 customers were using the KnowBe4 platform according to the recommended best practices for a new-school security awareness approach: • Running an initial baseline test • Training their users through realistic on- demand, interactive training • Frequent simulated testing at least once a month to reinforce the training 10

  11. Three-Phases of Measurement 1 Phase One: If you haven’t trained your users and you send a phishing attack, what is the initial resulting PPP? To do this, we monitored employee susceptibility to an initial baseline simulated phishing security test. From that established set of users, we look at any time a user has failed a simulated phishing security test prior to having completed any training. 2 Phase Two: What is the resulting PPP after your users complete training and receive simulated phishing security tests within 90 days after training? We answered this question by finding when users completed their first training event and look for all simulated phishing security events up to 90 days after that training is completed 3 Phase Three: What is the final resulting PPP after your users take ongoing training and monthly simulated phishing tests? We measured security awareness skills after 12 months or more of ongoing training and simulated phishing security tests and look for users that completed training at least one year ago and take the performance results on their very last phishing test. 11

  12. RISKY BUSINESS 12

  13. Benchmark Phish- prone Percentage by Industry 13

  14. Results Within 90 Days of Testing 14

  15. Results after 1 Year+ of Ongoing Training 15

  16. Security Awareness + Frequent simulated phishing training = Drastically improved phishing resiliency The Results are in: and they are dramatic 16

  17. Our Behavior-Based Approach Works Organizations across these specific industries improved their failure rate by 88% after 12 months of combined security awareness training and simulated phishing using KnowBe4. (Based on weighted averages across all organization sizes. Percentages rounded. 17

  18. Putting the results into perspective 18

  19. 1. The phishing problem 2. Phishing benchmark data by industry Agenda 3. International phishing benchmark data by region 4. Actionable tips to create your “human firewall” 19

  20. 2020 International Results 20

  21. - Africa - 81.9% Improvement 21

  22. - UK&I - 82.4% Improvement 22

  23. - Europe - Incomplete data set, yet trending favorably as expected 23

  24. - APAC - 78.7% Improvement 24

  25. 1. The phishing problem 2. Phishing benchmark data by industry Agenda 3. International phishing benchmark data by region 4. Actionable tips to create your “human firewall” 25

  26. People are a critical layer within the fabric of our Security Programs 26

  27. Security Awareness and Secure Behavior are NOT the Same Thing Traditional awareness programs fail to account for the knowledge-intention- behavior gap …

  28. Th There re are re Th Thre ree Realiti ties of of Se Securit ity A Awareness What your Just because I’m If you try to work employees do is way aware doesn’t mean against human more important than that I care . nature, you will fail . what they know .

  29. Train by Simulating the Steps taken by Attackers Upon Click Pre-Click Activities Post-Click Activities Weaponization Exploitation Command & Control Reconnaissance Delivery Installation Act on Objectives Simulate targeted and Discover your attack surface Understand the impact of breach opportunistic attack types 29

  30. • Understand the types of email subjects that will realistically test your users susceptibility to phishing. Bait the hook! • Know the types of ‘in the wild’ phishing scams that are occurring so that you can work to inoculate your users! 30

  31. -- effective phishing lures -- Greed Curiosity Self Interest Money Urgency Fear Helpfulness Hunger 31

  32. Plan like a Marketer. Test like an Attacker. 32

  33. • Humans are the de-facto top choice for cybercriminals seeking to gain access into an organization. • Security Awareness and frequent simulated social engineering testing is a proven method to dramatically slash Final Thoughts your organization’s phish prone percentage. • Effectively managing this problem requires ongoing due diligence, but it can be done and it isn’t difficult. We’re here to help. 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Phishing Attack Landscape and Benchmarking The data you need to know Perry Carpenter Chief

Phishing Attack Landscape and Benchmarking The data you need to know Perry Carpenter Chief

Phishing Attack Landscape and Benchmarking The data you need to know Perry Carpenter Chief Evangelist & Strategy Officer KnowBe4, Inc. About Perry MSIA, C|CISO Former Gartner Analyst leading research and advisory services to

655 views • 34 slides
Id Identify fy a Phishing Attack CWU Information Security Services Id Identify fy a Phishing

Id Identify fy a Phishing Attack CWU Information Security Services Id Identify fy a Phishing

Id Identify fy a Phishing Attack CWU Information Security Services Id Identify fy a Phishing Attack An email address that tries to disguise itself as legitimate Outlook Team <msOutlook@outlook.com> Confirm Acount Details Hello

108 views • 7 slides
VECTOR Table of Content Bio What phishing is? Types of Phishing Anatomy of

VECTOR Table of Content Bio What phishing is? Types of Phishing Anatomy of

THE STATE OF PHISHING ATTACK VECTOR Table of Content Bio What phishing is? Types of Phishing Anatomy of Phishing Counter Measures Reports on Phishing Isaac K. Acheampong Facilities Manager BSc IT, Dip. IT, Sec+ STATE OF

711 views • 34 slides
An Empirical Analysis of Phishing Attack and Defense Tyler Moore and Richard Clayton University

An Empirical Analysis of Phishing Attack and Defense Tyler Moore and Richard Clayton University

Whos winning the phishing arms race? Non-cooperation when countering phishing Evaluating the wisdom of PhishTanks crowd An Empirical Analysis of Phishing Attack and Defense Tyler Moore and Richard Clayton University of Cambridge

735 views • 69 slides
Phi.sh/$oCiaL: The Phishing landscape through Short URL's 1. Introduction With the advent of

Phi.sh/$oCiaL: The Phishing landscape through Short URL's 1. Introduction With the advent of

Phi.sh/$oCiaL: The Phishing landscape through Short URL's 1. Introduction With the advent of Web 2.0 technologies, social services like Twitter, Facebook, and MySpace have emerged as popular media for information sharing; While phishing

813 views • 33 slides
ML through Streaming at Sherin Thomas @doodlesmt Stopping a Phishing Attack Hello Alex, Im

ML through Streaming at Sherin Thomas @doodlesmt Stopping a Phishing Attack Hello Alex, Im

QCON LONDON 2020 ML through Streaming at Sherin Thomas @doodlesmt Stopping a Phishing Attack Hello Alex, Im Tracy calling from Lyft HQ. This month were awarding $200 to all 4.7+ star drivers. Congratulations! Hey Tracy, thanks! Np!

769 views • 60 slides
Phishing By: Joanna Georgiou Dhamija, R., Tygar, J. D., & Hearst, M. (2006, April 22). Why

Phishing By: Joanna Georgiou Dhamija, R., Tygar, J. D., & Hearst, M. (2006, April 22). Why

Phishing By: Joanna Georgiou Dhamija, R., Tygar, J. D., & Hearst, M. (2006, April 22). Why Phishing Works. Gelernter, N., Kalma, S., Magnezi, B., & Porcilan, H. (2017). The Password Reset MitM Attack. What is Phishing? Dhamija, R.,

528 views • 50 slides
The Art of Phishing : What you should know Arvind Vishwakarma 05/24/2019 Agenda 1. Phishing

The Art of Phishing : What you should know Arvind Vishwakarma 05/24/2019 Agenda 1. Phishing

The Art of Phishing : What you should know Arvind Vishwakarma 05/24/2019 Agenda 1. Phishing In a Nutshell 2. Phishing Types & Techniques 3. Phishing Stats & Modern Trends 4. Case-Study 5. Stay Safe 2 Speaker ABOUT ME

478 views • 24 slides
Phishing Fishing or Phishing? Definition Phishing: an attempt to trick victims into sharing

Phishing Fishing or Phishing? Definition Phishing: an attempt to trick victims into sharing

Phishing Fishing or Phishing? Definition Phishing: an attempt to trick victims into sharing sensitive information such as passwords, usernames, and credit card details for malicious reasons. Phishing can be in the form of emails, social

530 views • 20 slides
Overview What is Adversarial Attack? Why should we care? How does it work? Real

Overview What is Adversarial Attack? Why should we care? How does it work? Real

Adversarial Attacks on Phishing Detection Ryan Chang Overview What is Adversarial Attack? Why should we care? How does it work? Real World Demo on Phishing Detection Model How to defend? Adversarial Examples on

610 views • 26 slides
Retreat IT Presentation Rick OToole Phishing Awareness What is Phishing? Phishing is the

Retreat IT Presentation Rick OToole Phishing Awareness What is Phishing? Phishing is the

School of Fin ine Arts Retreat IT Presentation Rick OToole Phishing Awareness What is Phishing? Phishing is the attempt to obtain personal information such as passwords and logins for malicious purposes. By appearing to be legitimate the

255 views • 13 slides
Construction Industry KPIs Agenda KPIs and Benchmarking Current Industry KPIs

Construction Industry KPIs Agenda KPIs and Benchmarking Current Industry KPIs

Construction Industry KPIs Agenda KPIs and Benchmarking Current Industry KPIs Business Opportunities Wider Benefits Future KPIs Discussion KPIs & Benchmarking A KPI is a measure of a factor

1.55k views • 18 slides
Tech Briefing Email Security (Phishing) VPN File Storage Phishing Awareness What is Phishing?

Tech Briefing Email Security (Phishing) VPN File Storage Phishing Awareness What is Phishing?

Tech Briefing Email Security (Phishing) VPN File Storage Phishing Awareness What is Phishing? Phishing email messages, websites, and phone calls are designed to steal money or sensitive information. Cybercriminals can do this by installing

264 views • 24 slides
PHISHING IN DEPTH (ATTACKS & MITIGATIONS) Table of Content 1.0 Introduction 2.0 Phishing

PHISHING IN DEPTH (ATTACKS & MITIGATIONS) Table of Content 1.0 Introduction 2.0 Phishing

PHISHING IN DEPTH (ATTACKS & MITIGATIONS) Table of Content 1.0 Introduction 2.0 Phishing 3.0 Phishing kit 4.0 Types of Phishing 5.0 Avoidance Techniques 6.0 Effect of Phishing on Businesses 7.0 Demos & Practical INTRODUCTION

565 views • 27 slides
Training employees to recognise and avoid phishing threats Agenda Today, we will be exploring:

Training employees to recognise and avoid phishing threats Agenda Today, we will be exploring:

Training employees to recognise and avoid phishing threats Agenda Today, we will be exploring: What is phishing? How phishing can damage a business What are the difgerent types of phishing? How to spot a phishing email What to do if

159 views • 12 slides
of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results

of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results

PhishEye: Xiao Han Nizar Kheir Live Monitoring Davide Balzarotti of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results [APWG Phishing Activity Trends Report 2 nd Quarter 2016] All time high record

921 views • 59 slides
Boiling Curve Wall Temp. Controlled. Pool boiling curve for temperature controlled case with

Boiling Curve Wall Temp. Controlled. Pool boiling curve for temperature controlled case with

Boiling Curve Wall Temp. Controlled. Pool boiling curve for temperature controlled case with increasing temperature and decreasing temperature. Note that there is a hysteresis especially in the transition region. 4 Pool Boiling Curve

295 views • 7 slides
Joint Physics Analysis Center (JPAC) The Joint Physics Analysis Center (JPAC) formed in

Joint Physics Analysis Center (JPAC) The Joint Physics Analysis Center (JPAC) formed in

Amplitude analysis of / 0 0 Alessandro Pilloni Joint Physics Analysis Center Krakow, June 6 th , 2016 Joint Physics Analysis Center (JPAC) The Joint Physics Analysis Center (JPAC) formed in October 2013 We

873 views • 17 slides
Method Taking into Account Process Dispersion to Detect Hardware Trojan Horse by Side-Channel

Method Taking into Account Process Dispersion to Detect Hardware Trojan Horse by Side-Channel

Method Taking into Account Process Dispersion to Detect Hardware Trojan Horse by Side-Channel X. Ngo, Z. Najm, S. Guilley, S. Bhasin, J.-L.Danger PROOFS14, Busan, South Korea Introduction to HTH and its detection Proposed HTH Detection

429 views • 27 slides
Background High Time Resolution Universe (HTRU) survey Running since 2008, now entering

Background High Time Resolution Universe (HTRU) survey Running since 2008, now entering

Ben Barsdell Matthew Bailes Christopher Fluke David Barnes S POTTING R ADIO T RANSIENTS W ITH THE HELP OF GPU S Background High Time Resolution Universe (HTRU) survey Running since 2008, now entering deep phase Uses the Parkes 64m radio

292 views • 16 slides
FTP/4-5Ra Optimisation of production method of a nanostructured ODS ferritic steels P.

FTP/4-5Ra Optimisation of production method of a nanostructured ODS ferritic steels P.

FTP/4-5Ra Optimisation of production method of a nanostructured ODS ferritic steels P. Unifantowicz 1 , J. Fikar 1 , P. Sptig 1 , C. Testani 2 , F. Maday 2 , N. Baluc 1 , M.Q. Tran 1 1 Fusion Technology-Materials, CRPP EPFL, Association

458 views • 19 slides
t sr

t sr

t sr r r Ps rt t r t

291 views • 26 slides
High Power Targets at J-PARC #1 High Energy Accelerator Research Organization, KEK J-PARC Center,

High Power Targets at J-PARC #1 High Energy Accelerator Research Organization, KEK J-PARC Center,

The High Power Targetry R&D Roadmap for High Energy Physics Workshop @Fermilab, USA 31st May, 2017 High Power Targets at J-PARC #1 High Energy Accelerator Research Organization, KEK J-PARC Center, Materials and Life Science Experimental

345 views • 23 slides
Land Development Systems Modernization BOS Information Technology Committee Rob Stalzer, Deputy

Land Development Systems Modernization BOS Information Technology Committee Rob Stalzer, Deputy

Land Development Systems Modernization BOS Information Technology Committee Rob Stalzer, Deputy County Executive Gordon Jarratt, Sr. IT Director, DIT May 9, 2017 Land Development Systems Modernization Economic Success Strategic Plan Alignment

184 views • 16 slides

More recommend