Current phishing defense strategies and execution are not hitting the mark

Few professionals are completely confident in their ability to assess the effectiveness of their phishing awareness efforts.

In a new paper, Phishing Defense and Governance, released in partnership with Terranova Security, ISACA outlines key takeaways from this phishing research that reached security, assurance, risk and governance professionals, including:

• Only a slight majority (63 percent) regularly monitor and report on the effectiveness of their activities.
• 38 percent of respondents reported that their organizations develop security awareness collateral and anti-phishing materials internally.
• 85 percent of enterprises measure and regularly report on the effectiveness of their phishing awareness programs.

There is still a divide when it comes to organizations employing awareness activities such as email newsletters and online and in-person training, when compared to assessments of what employees have learned, through simulations and other knowledge-based tools.

Simulation is not a common component of phishing awareness and training, with only 57% of those surveyed saying they perform phishing simulation, and 25% reporting they use other active knowledge-based assessment of employee phishing behavior.

“Current phishing defense strategies and implementation are clearly not hitting the mark,” said Frank Downs, director of cybersecurity practices at ISACA. “Strengthening these defense activities and improving outcomes is within reach, but requires careful planning and execution, and eliminating any gaps in managing and implementing these security awareness initiatives internally and externally.”

Phishing Defense and Governance also examines the potential correlation between joint internal and outsourced collateral development and the increased ability to report and measure on effectiveness, as well as the ways in which external service providers can be used to help support phishing defense.

The white paper also provides some main areas of improvement where professionals should focus their attention when seeking to improve their phishing defenses, including:

• Ensuring the organization has the capability to validate user behavior modification (such as through a phishing simulation)
• Evaluating the outsourcing or co-sourcing relationships in place and determining where the organization has gaps in the quality of information it is receiving
• Setting clear goals for improvement and tracking to them

“Phishing attacks continue to grow each year both in number and in cost to organizations globally and countless new phishing scenarios are created every day,” said Theo Zafirakos, CISO at Terranova Security. “While human error continues to prevail as the leading cause of all breaches and security incidents, security professionals agree the most effective way to reduce human risk is with security awareness and phishing simulation training.”