Sophos has released an online Phish Threat Tester – security awareness testing and training for end users whose behaviour is responsible for over 90% of successful phishing attacks.
There are people who always lose, do the wrong thing – the weakest link in the chain. In a security sense organisations need to identify them and take steps to eliminate that behaviour.
Sophos Phish Threat tester can help organisations to eliminate – perhaps a poor choice of words - reduce the impact of its largest attack vector – people.
Sophos says it educates and tests an organisation's end users through automated attack simulations, quality security awareness training, and actionable reporting metrics, and facilitates a positive security awareness culture.
{loadposition ray}
Sophos acquired Phish Threat technology in late 2016 from penetration test and risk assessment consultancy Silent Break Security. It has since integrated the product into the Sophos Central platform.
Brady Bloxham, founder and former CEO of Silent Break Security, said, “I noticed a discrepancy between the way cyber-attacks were being conducted in the wild and what the private sector was calling a “penetration test”. We built Phish Threat to replicate the mindset of a real attacker, using the complicated methods and techniques in use today. This means assessments are modelled after potential attacks that organisations may face from real hackers. We also wanted to make it more transparent and easier for IT to collate and analyse results – something we hadn’t found in other tools.”
Bill Lucchini, senior vice president and general manager for the Sophos Cloud Security Group said, “Phishing has evolved in lockstep with the “Malware-as-a-Service” phenomenon. For years, criminals have disguised attacks in email and today SophosLabs sees phishing emails as a primary delivery method for ransomware payloads.”
“Preventing users from succumbing to phishing attacks can seem like an uphill battle. However, with Sophos Phish Threat, IT managers now have sophisticated, integrated threat intelligence that combines the strength of Sophos security technologies with a product that tests, trains and analyses human vulnerabilities. This creates a very powerful solution for businesses struggling to keep ahead of organised cybercrime and unwary end-users,” he added.
Sophos says that Phishing Training allows IT managers to more effectively address threat prevention by targeting risky user behaviour and creating a stronger security culture across the entire organisation.
While Sophos does not advocate “Name and Shame” of repeat offenders is a proven method to quickly change human behaviour provided it is accompanied by equally achievable “fame” awards.
Mike Morrison, founder of RapidBi is a change management specialist. He says “Name and Shame” puts the person on notice and should improve behaviour but it has to be done in such a way that it does not publicly humiliate them.
He adds that in important cases you have only two choices – “change the people, or change the people”. He adds that you need to “train them” so that they change. Unfortunately, by this time it is often too late. So, if coaching and training does not change your people… you need to “change your people”.