Last November I was asked to make a couple of cybersecurity predictions for 2018, and while it’s only February, it sure appears that one of my primary predictions hit the nail on the head:
“Sensing the frustration of their customers and realizing how complex phishing emails have become, both secure email gateway and computer-based employee awareness and training program providers will accelerate the consolidation of their respected market sectors through mergers and acquisitions that can cover gaps in their existing services and solutions such as automation and orchestration.”
Since the calendar flipped, Barracuda Networks has announced (opens in new tab) its acquisition of PhishLine to add what it said were new capabilities to deliver integrated, adaptive security awareness training. Additionally, Proofpoint recently announced its forthcoming acquisition (opens in new tab) of Wombat Security to “provide the industry's first-ever integration of market-leading protection and awareness offerings. Microsoft also announced an attack simulator feature for Office 365.
The M&A activity comes on the heels of security vendors such as Trend Micro and Sophos consolidating offerings with computer based training (CBT) modules to help educate staff on the latest security issues and vulnerabilities. Sophos even offers customizable security training programs that can include a program guide, employee handbook, online videos, buy-in documents, hands-on technical workshops, and webinar-based training sessions.
For years we’ve heard cybersecurity “experts” pontificate (opens in new tab) about the necessity of phishing awareness & training; proclaiming that all organizations - regardless of size, location or revenue - invest time, money and resources into phishing prevention education for all employees. Largely, the business community has been complicit to such advice, and as such is expected to pump in $10 billion to security training and awareness solutions by 2027, according to Cybersecurity Ventures (opens in new tab). However, recent M&A activity suggests such speculation might need to be revised.
Phishing Awareness & Training Tools Have Not Met Expectations
Not many in security want to admit the reality that the mass investment in security awareness training tools and modules have not correlated into transformational improvements in phishing mitigation. Today, phishing continues to be the root cause for approx. 95 percent of all cyberattacks worldwide. The proliferation in frequency of modern advanced persistent threats (APTs), business email compromise (BEC) and ransomware attacks has made it all but impossible for preoccupied employees to single handedly spot malicious emails on a recurring basis.
Just how bad has the phishing epidemic gotten in spite of the prevalence of phishing awareness and training programs? Here are some data points to consider:
- According to SC Magazine UK (opens in new tab), 96 percent of business we’re hit with BEC attacks in 2H 2017.
- During the first six months of 2017, the Anti-Phishing Working Group (opens in new tab) (APWG) identified more than 590,000 unique email phishing attacks and hundreds of thousands of illegitimate phishing websites.
- According to the Symantec 2017 Internet Security Threat Report (opens in new tab), more than 400 businesses are targeted with business email compromise (BEC) scams every day and ransomware increased by 35 percent.
Additionally, IRONSCALES’ internal data, which is based on the analysis of more than 7,000 simulated email phishing campaigns, reveals that:
- Only up to 10 percent of lured employees voluntary take training without being consistently reminded.
- While click rates begin to rise after initial benchmark phishing awareness training campaigns conclude, one year after initiating the click rates return to their original benchmarks of 20-50 percent.
With 239 billion emails sent worldwide each day, humans are simply no match for the frequency of today’s email various email phishing techniques. Sure, there is some value in employees gaining a baseline of phishing knowledge, but organizations must be realistic about the ROI of such training.
CISOs Frustration with Point Solutions Drives Market Consolidation
Myself and others have written (opens in new tab) extensively about the myths of security awareness training that vendors don’t want the public to know, and about the impossibility (opens in new tab) of training employees sufficiently enough to never miss a single malicious email. After all, it only takes one small mistake on the behalf of an employee to circumvent even the most complex and advanced security systems. So, aside from phishing’s continued success, what’s occurring that’s prompting the consolidation movement to gain steam? That’s simple - a frustration with point (imperfect) solutions.
One of the primary inefficiencies of phishing awareness and training is that it is merely a point solution in which success is predicated on changing human behavior. Putting the daunting task of changing human behavior aside, point solutions have come under increasing scrutiny for its inability to serve as a holistic phishing risk mitigation solution.
An article in CSO (opens in new tab) noted many security point tools aren't designed to communicate with one another. This leaves it to humans to bridge the gaps in intelligence and communications, and that requires more training and support for deployment and configuration. "More tools, more needs...there simply aren't enough eyeballs, hands or hours in the day to make this jerry-rigged security model work," the CSO article said.
But even if and when a trained employee does spot a malicious email, security and awareness training tools provide no recourse for remediation. Employees must simply submit their finding to the SOC team, which can have weeks-worth of phishing email backlogs to investigate. During such time, the phishing email remains within employee inboxes and the threat persists as active.
In response to today’s threat landscape and the inefficiency of point solutions like phishing awareness and training tools, chief information security officers (CISOs) are adjusting their strategies looking to automate security incident response, and many are consolidating the number of cybersecurity vendors they do business with, requiring new solutions that have broader integration and can operate with other security technologies. Legacy phishing awareness training companies do not fit into this mix, thus prompting the consolidation trend in hyper-drive.
Ultimately, CISOs and security teams must empower their organizations with the tools and techniques to fight the phish at every phase of the attack lifecycle, while always assuming that attacks will subvert the prevention phase. This simply cannot be accomplished by point solutions alone, which is largely why phishing awareness and training has produced more bark than bite. Rumors of other phishing awareness and training companies looking to exit are gaining steam, and I don’t think it will be long until more follow suit, or risk becoming obsolete.
Eyal Benishti, Founder & CEO of IRONSCALES (opens in new tab)
Image Credit: wk1003mike / Shutterstock