Sydney, NSW, AUS (21 March 2019)— Findings from a recent ISACA survey about strategies for phishing defense showed that only 12 per cent of the roughly 1,5000 respondents were completely confident in their ability to assess the effectiveness of their phishing awareness efforts.
In the new paper, Phishing Defense and Governance, released in partnership with Terranova Security, ISACA outlines key takeaways from this phishing research that reached security, assurance, risk and governance professionals, including:
• Only a slight majority (63 per cent) regularly monitor and report on the effectiveness of their activities.
• 38 per cent of respondents reported that their organisations develop security awareness collateral and anti-phishing materials internally.
• 85 per cent of enterprises measure and regularly report on the effectiveness of their phishing awareness programs
There is still a divide when it comes to organisations employing awareness activities such as email newsletters and online and in-person training, when compared to assessments of what employees have learned, through simulations and other knowledge-based tools. Simulation is not a common component of phishing awareness and training, with only 57% of those surveyed saying they perform phishing simulation, and 25% reporting they use other active knowledge-based assessment of employee phishing behavior.
“Current phishing defense strategies and implementation are clearly not hitting the mark,” said Frank Downs, director of cybersecurity practices at ISACA. “Strengthening these defense activities and improving outcomes is within reach, but requires careful planning and execution, and eliminating any gaps in managing and implementing these security awareness initiatives internally and externally.”
Phishing Defense and Governance also examines the potential correlation between joint internal and outsourced collateral development and the increased ability to report and measure on effectiveness, as well as the ways in which external service providers can be used to help support phishing defense. The white paper also provides some main areas of improvement where professionals should focus their attention when seeking to improve their phishing defenses, including:
• Ensuring the organisation has the capability to validate user behavior modification (such as through a phishing simulation)
• Evaluating the outsourcing or co-sourcing relationships in place and determining where the organisation has gaps in the quality of information it is receiving
• Setting clear goals for improvement and tracking to them
“Phishing attacks continue to grow each year both in number and in cost to organisations globally and countless new phishing scenarios are created every day,” said Theo Zafirakos, CISO at Terranova Security. “While human error continues to prevail as the leading cause of all breaches and security incidents, security professionals agree the most effective way to reduce human risk is with security awareness and phishing simulation training.”
The Phishing Defense and Governance whitepaper can be downloaded for free at www.isaca.org/phishing. For another perspective on phishing, read this ISACA Now blog post, “The C-Suite is the New Main Target of Phishing,” by Harold Walker, CISSP, Phishing Awareness Evangelist, Terranova Security.
About Terranova Security
Terranova Security is a global leader in security awareness training, recognised by Gartner®, with 1000+ successful phishing awareness and security awareness training programs spanning over 6-million users. Terranova Security is committed to partnering with CISOs and security professionals to help reduce human risk and support each organisation with a personalised and consultative approach for phishing and awareness training needs. Uniquely positioned to support security leaders govern, manage and measure changes in behavior, Terranova Security provides true flexibility and delivery models for phishing and security awareness training. Learn more: terranovasecurity.com
Now in its 50th anniversary year, ISACA® (isaca.org) is a global association helping individuals and enterprises achieve the positive potential of technology. Today’s world is powered by information and technology, and ISACA equips professionals with the knowledge, credentials, education and community to advance their careers and transform their organisations. ISACA leverages the expertise of its 460,000 engaged professionals—including its 140,000 members—in information and cyber security, governance, assurance, risk and innovation, as well as its enterprise performance subsidiary, CMMI® Institute, to help advance innovation through technology. ISACA has a presence in more than 188 countries, including more than 220 chapters worldwide and offices in both the United States and China.
Julie Fenwick, 0468 901 655, email@example.com
Lauren Graham, 0432 614 401, firstname.lastname@example.org
It’s not hard to understand why bot management is critical to maintaining business availability and customer satisfaction – but do you know how to properly deal with bots?
Increasing use of encryption has created new challenges for enterprise security managers. Ever more-sophisticated encryption such as Perfect Forward Secrecy (PFS) protects data and may even boost your Google ranking – but it also provides a haven for malicious code that may use encryption to bypass enterprise security controls.
Why nation-state attacks are everyone’s problem
With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.
An interview with CSO's David Braue and Ian Yip, Chief Technology Officer, McAffee.