With over 3 billion phishing emails sent a day, phishing is by far the most commonly used social engineering tactic. This is because it only takes a cursory search for threat actors to craft an email that’s specific enough to potentially fool their target. If they prioritize volume, at least one phishing email is bound to succeed.
Elevate research has found that just 4% of users cause 82% of phishing incidents. So if just a few people are susceptible to these attacks, why is phishing still such a huge problem? And is this something identity and access management can help with?
In this article, we’ll explore how simulated phishing tests aren’t as effective as their popularity would suggest, and how identity-based solutions might actually be your best chance at reducing phishing incidents within your organization.
Here’s Why Simulated Phishing Tests Aren’t Enough
Phishing simulations have become a standard practice for organizations looking to decrease their risk of an employee clicking on a potentially harmful link. And at face value, it makes sense.
Organizations see it as a way to measure how often their workforce might fall for an actual phishing attack. Knowing that a 0% clickthrough rate is implausible, they might set a benchmark that they are trying to hit for the year. Based on the results, they’ll try to draw insights on whether they should launch more phishing tests, reevaluate their training programs, or even fire employees that are more prone to failing the tests.
Ultimately, none of these measures effectively solve for an actual reduction in phishing incidents. Here’s why:
- Companies don’t have the right metrics in place. It’s less about the clickthrough rates and more about the distribution of risk. Remember, 4% of users cause 82% of phishing incidents. If companies can more effectively categorize their employees into risk groups, then they can give more attention to the people that really need it.
- Companies don’t know what to do with the data they collect. Knowledge is power—especially when it comes to cybersecurity. Still, if new actions aren’t being taken to respond to insights, what good are they? Simulated phishing tests are merely the means by which companies devise solutions—not the solution itself.
- Phishing tests often don’t simulate real-life. There can be vast disparities in the quality of simulated phishing tests. Smart employees regularly sniff out a test that isn’t convincing enough, and several companies have gotten into hot water for practicing unethical methods in their tests. And even for employees that do fail the tests, follow-up training has often proven to be ineffective.
It’s not that simulated phishing tests can’t be a helpful component in a larger cybersecurity strategy, but companies will need to accept that no amount of simulations or training can prevent phishing incidents in a significant way. With the average business facing over 700 social engineering attempts a year, some are bound to make it through the cracks. When that inevitably happens, companies shouldn’t solely rely on the security awareness of their employees.
Identity and Access Management: The Last Line of Defense for Your Privileged Systems
Most of cybersecurity is accounting for a web of contingencies. It’s about having a game plan for even the worst case scenarios—combining multiple layers of security to give yourself a chance of stopping a breach beyond just the first point of entry. Identity and access management is a crucial piece of this philosophy.
Elevate Identity’s uniquely human-centered approach to identity and access management has empowered our clients with a more comprehensive solution for reducing phishing incidents:
“Elevate gives me a complete view of our team’s risk behavior and decision making across all domains, not just simulated phishing emails.”
—Manager, IT Security and Risk Management, Travel and Hospitality Industry
Here’s what sets it apart from other identity-based solutions:
- Identification of human risk. This is the guiding principle behind all of our solutions. Elevate’s ability to contextualize data gathered across your entire enterprise and individually score personnel based on risk allows for quick, informed decision-making.
- Risk Triggers. Users that have displayed risky behavior—such as clicking on a phishing link—can automatically be added to a high-risk watch list and trigger an access governance review. This allows decision makers to make adjustments to that user’s access.
- Conditional access policies. This allows you to deny access to high-risk employees unless they meet requirements that you specify. Requirements might include logging in from a trusted location on a company-compliant device. In the case of phishing, this would prevent a threat actor with compromised credentials from making it any further.
- Incident Triage. In the case a user has been compromised, decision makers are alerted and can instantly revoke access to systems.
- Flexible automation controls. Through an easy-to-use interface, decision makers can create extensive, granular rules that automate identity and access management decisions for each individual user in the enterprise.
Effective identity and access management can save a headache even after one of your users has fallen victim to a phishing attack. Elevate Identity’s proactive, human-centered controls help you prevent escalations from occurring.
Final Thoughts
If you’ve decided that your simulated phishing program isn’t cutting it, we’ve got you covered. Consider checking out our other solutions—Elevate Engage and Control—to fully understand how a multi-layered approach to security can drastically improve your chances against phishing attacks. We could be the security partner for you—request a demo and see how we can elevate your security program at scale.