Tournament results

Terranova Security’s Gone Phishing Tournament is a free, annual cybersecurity event that takes place in October to coincide with National Cybersecurity Awareness Month. The Tournament tests real-world responses using a phishing email modeled on actual threats provided by Attack Simulation Training in Microsoft Defender for Office 365 (Office 365 Advanced Threat Protection). Click rates are segmented by industry, organization size, region, web browser, and operating system.

Using a template created from real phishing attacks, translated into 11 languages across 98 countries, the 2020 Gone Phishing Tournament revealed that organizations are taking phishing threats seriously, but with mixed results.

“There’s increasing crossover between our personal and work activities online. That’s why cybersecurity education and training needs to be an ongoing commitment.”—Vasu Jakkal, CVP, Security, Compliance and Identity Marketing, Microsoft

Figure 1: Password submission by industry

The average password submission rate across industries was 13.4 percent, with education employees taking the bait least often at just 7.9 percent. The highest password submission rate was among public sector employees at 20.7 percent.

Figure 2: Click and password submission rates by the size of the organization

The tournament results also showed there was not a great deal of variation when comparing organizations of varied sizes. For example, there was only a 9.2 percent difference in the number of people who clicked the phishing link and submitted passwords at organizations of fewer than 100 people, compared with those consisting of more than 3,000 employees. The results show that phishing attacks are not just a threat for smaller organizations with less sophisticated cybersecurity training—large organizations were even more vulnerable.

Ongoing attacks

In the new world of remote work, your people are your perimeter. Phishing provides hackers with a low-cost, low-risk form of social engineering with a potentially big payoff in the form of stolen passwords, leaked credentials, and access to sensitive data and intellectual property. Throughout 2020, opportunistic cybercriminals have been preying on distracted, overstressed remote workers by introducing COVID-19-themed phishing lures. The World Health Organization (WHO) has referred to the ongoing COVID-19 themed phishing attacks as an “infodemic.” By the summer of 2020, the Federal Trade Commission (FTC) had already recorded over 59,000 coronavirus or stimulus-related complaints resulting in over $74 million in losses.

The National Cyber Security Alliance (NCSA) is pushing back against the rise in cybercrime by building strong public and private partnerships that empower users to stay secure online.

“The Phishing Benchmark Global Report reinforces the need for the current work being done by organizations like Microsoft, Terranova Security, and the National Cyber Security Alliance. Real-world phishing simulations and engaging security awareness training help make organizations, employees, and everyday citizens aware of the growing risk of social engineering and phishing emails. We will continue working in partnership with industry and government to empower the global community towards becoming one that is more cyber aware.”—Kelvin Coleman, Executive Director of NCSA

Not all security awareness training is alike

To defend against increasingly sophisticated cyber threats, organizations need real-world training as a comprehensive internal campaign. Terranova Security Awareness Training includes gamification and interactive sessions designed to engage and can be localized to different geographies around the world.

Attack Simulation Training in Microsoft Defender for Office 365, delivered in partnership with Terranova Security, integrates simulations, training, and reporting. Terranova Security is excited to partner with Microsoft to deliver this differentiated, industry-leading solution, allowing our customers to detect, prioritize, and remediate phishing risk across their organizations. With Attack simulation training, customers can:

• Simulate real threats: Detect vulnerabilities with real lures and templates—automatically or manually send employees the phishing emails attackers have used against your organization. Then, reach out to users who fall for a phishing lure with personalized training content.
• Remediate intelligently: Quantify social engineering risks across employees and threat vectors to prioritize remedial training. Track your organization’s progress against a baseline and measure the behavioral impacts. Using user susceptibility metrics triggers automated repeat offender simulations and training for people who need extra attention.
• Improve security posture: Reinforce your human security system with targeted training designed to change employee behavior. Training can be customized and localized, including simulations tailored to your employee’s contexts—region, industry, function—with granular conditionality on harvesting. Cater to diverse learning styles with interactive nano-learning and micro-learning content.

If there is a common thread to be found in this year’s Gone Phishing Tournament results, it is that organizations of every size need to make integrated attack simulation and training a cornerstone of their cybersecurity program. Cybercriminals do not take days off, and neither should your simulation and training program.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Terranova Security Gone Phishing Tournament reveals continued weak spot in cybersecurity appeared first on Microsoft Security Blog.

A successful phishing attack requires just one person to take the bait. That’s why so many organizations fall victim to these cyber threats. To reduce this human risk, you need a combination of smart technology and people-centric security awareness training. But if you don’t understand your vulnerabilities, it can be difficult to know where to start.  Attack simulation training capabilities in Office 365 Advanced Threat Protection (Office 365 ATP) empower you to detect, assess, and remediate phishing risk through an integrated phish simulation and training experience. And, in October 2020, you can get true phishing clickthrough benchmarks when you register for the Terranova Security Gone Phishing Tournament^TM.

Terranova Security is a global leader in cybersecurity awareness training that draws on principles of behavioral science to create training content that changes user behavior. Through a partnership with Microsoft, Terranova Security is able to enrich our training programs with insights from the Microsoft platform, while Microsoft leverages our content and technology in Microsoft Office 365 Advanced Threat Protection (Office 365 ATP).

Today’s blog shares how the Gone Phishing Tournament helps you baseline against your industry and peers, and how Office 365 ATP Attack Simulation training can help you mitigate the risk of a phishing-related data breach.

How does your risk of being phished stack up?

Cybercriminals exploit human psychology to trick users, which is why they introduced COVID-19-themed phishing lures in the early days of the pandemic. Many employees are working from home for the first time and have children and other family members competing for their attention. Bad actors hope to trick employees when they are busy and stressed. Although it’s understandable why people accidentally act on phishing campaigns, there is an opportunity to turn your employees into your first line of defense. When people understand how phishing campaigns work, your organization is more secure.

The Gone Phishing Tournament will give you valuable insight into how well employees understand phishing. The Gone Phishing Tournament is a free, annual cybersecurity event that takes place in October. The tournament leverages a phishing email based on real-world threats provided by Attack simulation training in Office 365 ATP and localizes it for your audience. After you register, you can select the users you want to include in the phishing simulation. We run the simulation for a set number of days using the same template, so you get an accurate assessment of how you compare to peer organizations. At the end of the tournament, you’ll receive a personalized click report and a global benchmarking report.

Empower employees to defend against phishing threats

Phishing simulations are a great way to educate employees about phishing threats, but to shift behavior you need a regular program that includes targeted education alongside simulations. Terranova Security’s awareness training, which will soon be available in Office 365 ATP, takes a pedagogical approach with gamification and interactive sessions designed to engage adults. It is localized for employees around the world and complies with web content accessibility guidelines (WCAG) 2.0.

Later this year, Office 365 ATP Attack Simulator and Training will launch integrated with Terranova Security awareness training. You’ll be able to take advantage of comprehensive training benefits that will help you measure behavior change and automate design and deployment of an integrated security awareness training program:

• Simulate real threats: Detect vulnerabilities with real lures and templates for accurate risk assessment. By automatically or manually sending employees the same emails that attackers have used against your organization, you can uncover risk. Then, target users who fall for phish with personalized training content that helps them connect what they learned with real-world campaigns.
• Remediate intelligently: Quantify social engineering risk across your employees and threat vectors to prioritize remedial training. Track your organization’s progress against a baseline and measure the behavioral impact of training. Using user susceptibility metrics, you can trigger automated repeat offender simulations and training for people who need extra attention.
• Improve security posture: Reinforce your human firewall with hyper-targeted training designed to change employee behavior. Training can be customized and localized to meet the diverse needs of employees. Tailor simulations to your employee’s contexts—region, industry, function—with granular conditionality on harvesting. You can also cater to diverse learning styles and reinforce awareness with interactive nano learning and microlearning content.

In the new world of remote work, it has become clear that your people are your perimeter. Attack simulation training in Office 365 ATP, delivered in partnership with Terranova Security can help you identify vulnerable users and deliver targeted, engaging education that empowers them to defend against the latest phishing threats.   Look for a future blog from me in the beginning of cybersecurity awareness month that will discuss in more detail how to train your employees on security. In the meantime, register for Terranova Security Gone Phishing Tournament October 2020.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to detect and mitigate phishing risks with Microsoft and Terranova Security appeared first on Microsoft Security Blog.