Little Phish in A Big Pond: Why Phishing Training Matters in Small Institutions

By: (Security +)

Publication: The Kansas Banker , April/May 2016

 
The Kansas Bank April/May 2016

“Dear Jerrod, you are receiving this email because you recently requested a password reset or unlock of your account.  If you didn't make this request, it's likely that another user has entered your email address by mistake and your account is still secure. If you believe an unauthorized person has accessed your account, you should change your password as soon as possible by going to Your Account.” 

 

By clicking on the above link, your business could change.  Phishing is not something new, but the targets have changed. In 2015, a new pattern emerged in which the target of phishing switched from bank customers to bank employees. Most people might think that only the largest banks are at risk for phishing campaigns, especially spear phishing attacks where specific employees are targeted.  However, over the past ten years “puddle-phishing,” or phishing attacks at smaller banks, have been on the rise.  In our own security testing in 2015, we found employees at smaller banks (holding <$250M) failed phishing tests 24% of the time. Some believe this may be due to a lack of adequate resources to defend against attacks. Fortunately, because employees are a captive audience, there are some strategies that can help mitigate the risk to a financial institution.

In 2008, Carnegie Mellon conducted a study into the effectiveness of employee training to guard against phishing. The study came to two major conclusions: (1) Employee training increases the rate in which users do not click on a phishing link (2) Effectiveness of the training is strong for about seven days.  I doubt anyone would question the fact that training is important, but the issue is how often the training is conducted.  Many institutions only train on anti-phishing once per year or when a new employee is hired.  Research shows such training is not sufficient to properly mitigate the risk phishing imposes. It would be much more effective to train at least once a month.  The goal is repetitious training and practice that results in detection of suspicious emails becoming second nature for employees.

Training does not have to mean a full day session with missed time from work.  Most trainings can take place online or face to face in about ten to fifteen minutes.  It can take the form of an online module, short video, one-on-one conference or practice phishing emails with interactive training. The benefits of short, frequent training far outweigh the consequences of a compromised system or employee account.

All of the major security companies, such as Fortinet, Trend Micro, McAfee are in agreement on one thing:  Phishing schemes will continue to develop in quantity and sophistication. In a recent survey by the Information Systems Audit and Control Association (ISACA), 57% of respondents believe that social engineering will continue to be a threat to their organization. Small banks may not have the resources to buy the latest and greatest in hardware and software solutions, but they do have to the ability to work more effectively with their greatest asset: employees.  The last line of defense for any size institution is its people.  Small banks can change their procedures more quickly and work with their employees more closely to recognize and report suspicious emails. The same type of individual-focused, personal interaction that give community banks a customer service advantage over large institutions can also give you an advantage in preventing phishing attacks.  It is important to remember that phishing attacks continue to rise because they work.  Your staff can be trained not to “bite”, and the impatient phisher will be forced to move on to more promising ponds.