The 2019 Verizon Data Breach Investigations Report (DBIR) found that 94% of all breaches are targeting people, underscoring the importance of a people-centric approach to cybersecurity. Phishing continues to be the No. 1 threat tactic in breaches, with attackers focusing heavily on social engineering to make users activate their attacks.
Companies that align their security efforts and security awareness training are the most successful at reducing their risk and protecting their organization. Here are the top three ways organizations can do this.
Bringing Together Email Security with Security Awareness
The business benefit: Proofpoint Security Awareness Training results in a median reduction in the annualized risk of phishing attacks by about 50%*
Email gateways are an incredibly important line of defense and advanced threat protection can detect and stop advanced threats. However, with social engineering threats like phishing and highly targeted attacks, your people are an additional line of defense if a message reaches your end user.
An important defense tactic is to align security awareness efforts with information from the email security team about who’s being attacked and what types of attacks are reaching users.
Proofpoint collects this target-focused information for Advanced Email Security customers in a Very Attacked People (VAP) report. The report reveals the different users within an organization who receive the highest volume and most dangerous threats.
Security awareness administrators can use the information about their VAPs to target training efforts and minimize risk. Additionally, they can use the information from the email security team about the attack type to tailor training programs to the changing threat landscape and provide more relevant content to protect and inform users. For example, from the Proofpoint dashboard above, you can see that the users such as the Scientist in Europe or Executive Assistant in China are in the top 30 list of targeted people. With this visibility, we know who should have extra resilience against attackers.
Aligning Incident Response with Security Awareness
The business benefit: Organizations can save hundreds of thousands of dollars on incident response full-time equivalent hires by automating the removal of user-reported messages**
We found only 15% of organizations give their users an email reporting tool to send the full content of suspicious messages to an abuse mailbox—the least-used tool in security awareness programs according to our survey in the 2020 State of the Phish. This type of tool provides security awareness administrators an opportunity to empower users and reduce their organization’s exposure to dangerous spear phishing attacks.
In addition, when reporting on security awareness, using data points such as “user-reported emails” can put your program in a more positive light compared to metrics like “click rate” or “failure rate” as it demonstrates user resilience. Administrators can gamify their program and reward users who report the most simulated or real phishing attacks. This approach of speaking about users as resilient rather than vulnerable is being utilized by our customers to elevate the security awareness training conversation and get buy-in at the board and executive level.
A key benefit of the Proofpoint solution is the reduced burden on incident response teams. One customer realized a $345,000 savings in a full-time incident response equivalent headcount over three years, which you can read more about in this Forrester Total Impact™ report. Our threat intelligence and dedicated URL and attachment sandboxing means user-reported messages are quickly classified as malicious or harmless and even offers teams the opportunity to automate response and provide customized emails back to users based on the message’s classification to close the loop and reinforce the behavior.
How Is Proofpoint Making Your Users Resilient?
Proofpoint’s people-centric approach to security means we’re leveraging the technology from our existing products to make Proofpoint Security Awareness Training more relevant to an organization’s threat landscape and more effective at improving overall security posture.
Learn more about how we’re bridging the technology and people divide in our webinar on February 26, 2020. A replay will be available shortly after the recording.
*Aberdeen Group Research: Small Investment in User Training, Large Reduction in Risk
**Forrester Total Economic Impact™ of Proofpoint Advanced Email Protection. Actual incident response savings will depend on the size of the organization and other factors.