Phishing: The future is zero tolerance

Phishing has long been the proverbial thorn in an organization’s side. It doesn’t have the glitz and glamor of many other headline-grabbing hacks, such as the latest zero-day or ransomware attack. It’s been around so long it has become old news, pushed aside and nearly forgotten in a world where security professionals, the media and enterprises alike are engaged in a constant battle of extinguishing cyber fires and worrying about the newest malware variant.

Government agencies, however, should be particularly concerned about phishing. They make great targets, since they often have considerable amounts of attractive personally identifiable information and, too often, poor cyber defenses.

From my experience as a penetration tester and social engineer, it appears that most agencies view phishing awareness training as a necessary evil that is conducted yearly at best with some computer-based exercises. It is almost always an afterthought -- something agencies must do, rather than want to do. In most instances, the only time a phishing awareness campaign is run is during the annual compliance test for the  Federal Risk and Authorization Management Program, meaning employees may not have seen a phish since the last time an audit was performed.

Yet this threat vector has been shown to be the first step in over 90 percent of recorded breaches. Government is increasingly at risk; according to Symantec’s 2018 Internet Security Threat Report, Volume 23, the public administration sector received more email-borne malware -- 1 out of 120 emails received -- than any other sector. Despite its devastating impact, phishing still fails to command the respect and attention it deserves as a formidable threat to every organization.

A common question -- and one that has a place in most certifications such as FedRAMP -- is, “What is an acceptable failure rate for phishing?” For years, the prevailing sentiment and some professional guidance has been that anything under 10 percent would be trending in the right direction. While this guidance is, in my view, misguided, many industry professionals and consultancies have given out the same improper, or perhaps we should say “severely outdated,” guidance, however well intentioned.

After three years of gathering data from multiple phishing campaigns launched at government agencies and business -- from the top Fortune 500 companies all the way down to sole proprietorships -- one metric stands above all the others: a 62.5 percent compromise rate. We have tested over 100 organizations that have, in their opinion, “stellar phishing programs,” those that have a single test campaign once a year and those that do relatively nothing from year to year.

While the quality of phishing testing programs has a broad range, the fact of the matter is, if a person clicks on a phishing email link -- and 26.2 percent do, on average, in our data -- there is a 62.5 percent chance on average that person will either share working credentials to their account or  download a payload that will give the malicious actor control of the host. Are there security measures that can help with some of that? Of course there are; but the metrics are still clear -- even if the threat actor doesn’t compromise the host, over half the time an active username and password is now in the hands of the bad guy.

These results are staggering in their implications. Using the “old” acceptable rate of a 10 percent click through, that leaves a 6 percent compromise rate. Let’s look at what that might look like for a large agency with, say, 50,000 employees. A 26.2 percent click rate equals 13,100 clicks. If this agency were to fall into the “average” compromise rate, that would be 8,187 compromises! Even the industry-standard 10 percent click rate would yield 3,125 compromises.

I believe that all organizations should be striving for zero clicks. While this may well be unattainable, we humans tend to be complacent in coming close to our goals. A goal of 10 percent will probably mean 12 percent. A goal of 2 percent will likely achieve a result of 5 percent, and with a 62.5 percent compromise rate, will still likely open an enterprise network to an unacceptable level of risk. Granting not only the important role phishing plays as an entryway to significant breaches but the likelihood of compromise per click, the industry should be shouting “zero tolerance” from the roof tops. The days of acceptable risk should be long behind us.

I think it is clear that we are unlikely to eliminate the human element and the risks that brings. There will always be mistakes or problems as long as people are involved. But by setting far more aggressive goals, standing up progressively better phishing defense programs to train employees, rewarding them for improvement, incentivizing them for doing the right thing and demonstrating what “good” looks like, agencies can both set and meet more aggressive goals to better protect the enterprise.

While phishing isn’t the most interesting, headline-worthy topic in tech news today, it should be the No. 1 topic of concern for nearly every agency's cybersecurity team. The cultural norm must shift to zero tolerance, and until it does, phishers couldn't be happier. As a social engineer and fake criminal in my day job, I know that every single phishing campaign I run will get me into your system. Thank you for making access to your agency so very easy.