It’s no secret that social engineering attacks are on the rise. One of the most popular exploits in 2019 has been Business Email Compromise (BEC). In this type of attack, a hacker uses the identity of someone on the corporate network to trick the target into sending something of value. Hackers have seen tremendous success leveraging BEC. The Financial Crimes Enforcement Network, or FinCEN, estimates that BEC scams generated more than $300 million per month in 2018. The FBI reports that US companies lost $1.3 billion in 2018, and a recent AIG report reveals that BEC-related crimes were responsible for almost a quarter of all cyber claims.
Why are BEC attacks so successful? For starters, they contain no malicious payload, so traditional gateway solutions can’t detect them. If your email security relies solely on a spam or virus firewall, there’s very little to stop a BEC attack from getting to the inbox. Additionally, these attacks are created with care. Users often find it difficult to distinguish a well-crafted attack from a legitimate email, making them susceptible to following through with the hacker's request for money or sensitive data.Successful #BEC attacks are created with care, making them difficult for employees to distinguish these attacks from legitimate email. #EmailSecurity Click To Tweet
At the end of the day, the success of these types of attacks depends on whether the user takes the bait. In their 2019 MQ for Security Awareness Computer Based Training, (SA/CBT) Gartner stated, “People influence security more than technology or policy, and cybercriminals know how to exploit human behaviors”.
The best chance an organization has at defending against BEC (or similar attacks) is by leveraging a security awareness training solution to teach users to identify and report social engineering attacks, rather than interacting with them. Due to its effectiveness at helping users to successfully thwart email attacks, security awareness training is a rapidly growing market. If you’re not using an SA/CBT solution, now’s the time to think about investing in one. Gartner estimates that by 2022, 60% of large organizations will have one FTE (full-time equivalent) for their SA/CBT program. Gartner released their latest MQ for Security Awareness Training earlier this summer, let’s explore some of the highlights.
When we first speak to customers, many of them assume the main point of a security awareness training solution is to measure and improve click-rate. But an effective SA/CBT solution will take a comprehensive approach to help businesses mitigate security risks. Gartner says: “Security education can fulfill multiple objectives and requirements, including:
- Complying with regulations that mandate security training
- Establishing clear behavioral guidelines to support disciplinary processes, which are typically described in acceptable-use and/or security policies
- Improving employee knowledge of security and risk topics
- Motivating desired security behaviors in the appropriate context”
As with all of their MQs, Gartner identifies some key market trends and differentiators in the SA/CBT space including:
- Variety of content formats, length & styles
- Multilanguage support
- Supplemental internal marketing content
- Integration partnerships & possibilities
Which businesses need to seriously consider an SA/CBT solution? According to Gartner, “Security education CBT is suitable for organizations of all sizes and is of particular use to geographically distributed organizations that need common security performance across all employee groups”. But make no mistake, you don’t have to be a big company to fall victim to a social engineering attack. If you have email users, you’re a target.
Can your users spot a spear-phishing attack? Who are the high-risk users in your company? Have your users been trained on the most recent spear-phishing attacks?
Barracuda can help you turn your users from a security liability into a security asset. Contact us here for more information on our email protection systems, and download the MQ for Security Awareness Training report to learn more about the vendors in this space.
Ready to put SA/CBT to work for you? Join us for this free webinar:
See Why Gartner Says Security-Awareness Training Matters
Wednesday, September 25, 2019
11:00 AM Pacific Daylight Time
Can't attend the live webinar? Register anyway and you'll have access to watch it on-demand.