You can view the recorded webinar here: http://bit.ly/1K84eyf Phishing continues to pose a growing threat to the security of industries of every kind — from financial organizations to government contractors to healthcare firms. Today’s savvy phisher manages to evade even the most significant safeguards through carefully planned, socially engineered email phishing attacks. In fact, according to Verizon’s Data Breach Investigations Reports, 95% of all espionage attacks and nearly 80% of all malware attacks involve phishing. And people — your internal users — are the largest and most vulnerable point of entry. To provide an idea of where — and how — organizations make themselves most vulnerable to phishing attacks, ThreatSim presented a one-hour live webinar that covered: -A look at our annual State of the Phish report, including analysis and metrics on how and why end users are vulnerable to phishing and how to address the problem -What your peers are doing, whether it is working, and what you should be doing -Data and analysis of click and open rates from millions of simulated email phishing campaigns, including: mobile use in the workplace and who’s most vulnerable, browser and plugin stats, and platform data across industries -Insight into what proactive organizations are doing to better train their end users to identify and avoid phishing attacks Learn how to plug one of, if not the biggest hole in the security of your organization. You can view the recorded webinar here: http://bit.ly/1K84eyf

1. State of the Phish:
What You Should Know About
Trends, Training, and Results
Don’t just check the box. Move the needle.

2. © Copyright ThreatSim 2015, All rights reserved. 2
2015 State of the Phish Report

3. © Copyright ThreatSim 2015, All rights reserved.
The slide where I talk about myself
Trevor Hawthorn, CTO and co-founder at ThreatSim (Reston, VA USA)
Previous: Stratum Security, Cybertrust/TruSecure/Verizon Business, UUNET,
Earthlink
Technical hands-on security work for 18 years
Incident response, Former QSA, Network and App Pen-tester…

4. © Copyright ThreatSim 2015, All rights reserved. 4
Verizon Data Breach Report: Impact of Phishing on Businesses

5. © Copyright ThreatSim 2015, All rights reserved.
Industry Survey: Are you being phished, increasingly?
Yes
No
Increasing
Staying about
the same as
years past
Decreasing
Have you experienced a phishing attack in the last calendar year?
Is the rate of phishing attacks against your
organization increasing?

6. © Copyright ThreatSim 2015, All rights reserved.
Industry Survey: How are you impacted?
What, if any, of the following impacted your organization?
Loss of data
Compromised
accounts
Malware infections
Other

7. © Copyright ThreatSim 2015, All rights reserved. 7
Why do you have to do something about it?
“Consumerization” of IT –
Thanks a lot, Apple.
Consumers-like services in the
enterprise.
Next generation of workforce
will expect always-on, always-
connected, ability to share, and
collaborate. It’s like they hate
security or something.
Increasing reliance on users to
make good security decisions.
You’re not always going to be
there for them.
Integration of user behavior
analysis with other “security
stuff” (e.g. threat intel feeds)
Fig 1: Security professional in the wild

8. © Copyright ThreatSim 2015, All rights reserved. 8
2015 SotP Data: Open Rate vs. Click Rate 2013-2014

9. © Copyright ThreatSim 2015, All rights reserved. 9
2015 SotP Data: Decreasing Click Rates Over Time

10. © Copyright ThreatSim 2015, All rights reserved.
Industry Survey: Reduction in Click Rates Through Training
What percentage reduction have you achieved?
76-100%
26-50%
51-75%
Unsure/Still testing

11. © Copyright ThreatSim 2015, All rights reserved. 11
2015 SotP Data: Measurable Phishing Risk Reduction

12. © Copyright ThreatSim 2015, All rights reserved. 1
2
2015 SotP Data: Sharpening the Spear

13. © Copyright ThreatSim 2015, All rights reserved. 13
Email received First click
2015 SotP Data: Median time to first click, all campaigns
82 secs

14. © Copyright ThreatSim 2015, All rights reserved. 14
2015 SotP Data: Which phishing email types get the most clicks?

15. © Copyright ThreatSim 2015, All rights reserved. 15
2015 SotP Data: Mobile click rates, iOS vs. Android

16. © Copyright ThreatSim 2015, All rights reserved.
Industry Survey: What Your Peers are Doing
Which of the following activities are used in training your end users on how to
identify and avoid phishing messages, in addition to phishing simulation exercises?

17. © Copyright ThreatSim 2015, All rights reserved. 17
Self-Serving Slide: Why quick simulation training works
“Train as you fight"
The training is delivered seconds after the user performs the
action you wish to correct
It’s quick (on average 0:43 seconds)
It allows you to persist your message over time (monthly, etc.)
Bite-sized training content (get to the point)
Security awareness training is marketing — drive the target to a
specific behavior or action
IT’S MEASURABLE. METRICS EVERYONE! METRIIICCSSS!!

18. Connect with us
13800 Coppermine Rd.
Suite 302
Herndon, VA 20171
888-687-1337
info@threatsim.com
http://threatsim.com
info@threatsim.com
threatsim.com/demo
@threatsim
Q&A / Discussion
View the recorded
webinar here:
http://bit.ly/1K84eyf