Imagine getting an email from your company’s human resources department --customized with the company's logo – touting a new benefits program. It even offers a link to check out the details.
You'd click that link without hesitation.
Cyber attackers are counting on it, because HR didn't send that link, which has malware at the end of it. So how can you tell what's legitimate and what's not?
Despite increasing numbers of security breaches involving confidential data, security training in Canada is still woefully lacking. IDC says in its December 2012 Forecast of Data Breaches of Personal Information in Canada that there were an estimated 3.3 million incidents of lost or stolen confidential personal data in 2011, and that's expected to increase to over 4 million by 2015. Yet only just over half of organizations have actively used employee security awareness plans in place, and, even more disturbing, about one quarter do not even have plans, despite all sizes of organisation listing employee knowledge as one of the top three critical roadblocks to improving security.
Worse yet, IDC's research finds that IT security investments are lower here than those in the U.S., while Canadians have a higher degree of confidence in IT security. Says IDC, "this continued high level of confidence is not only unwarranted, but dangerous."
Phishing attacks in which attackers attempt to extract credentials from their victims with communications masquerading as legitimate messages have become increasingly sophisticated. It's often difficult for even alert, trained employees to spot them. Targeted phishing, known as spear phishing, aims at a small group of victims, often incorporating customized information to persuade recipients that the emails are from trusted sources.
And that's where PhishMe comes in.
Chantilly, VA-based PhishMe Inc. is a four year old company that specializes in teaching employees how to detect and avoid phishing, malware, and drive-by attacks. Its product is a software-as-a-service spear phishing simulator that immerses employees in a realistic scenario without the negative effects of a real attack.
According to CEO Rohyt Belani, (pictured) the idea came when he realized humans were becoming the attack vector of choice. The core of his company's offerings is managing employees' security behaviour. "I shy away from saying we do awareness; there's a passive undertone to it," he says. "Actively managing employee behaviour is what we do."
"Fighter pilots learn from putting them in the simulator and creating different situations and giving them feedback," he went on. "That's kind of what we're doing here. We immerse people in a very controlled environment in simulated phishing attacks that closely replicate what the nation-state actors and the cyber criminals do."