Until recent years, cybersecurity has been approached largely as a technical problem with technical solutions. However, in recent years, the focus has broadened to include the human factor of cybersecurity.
A significant percentage of successful cyber attacks exploit users who click links to infected sites or open infected attachments. Commonly called phishing, these attacks look to convince the unsuspecting user to open what appears to be legitimate correspondence in their email inbox.
Companies are now struggling to provide adequate education to their employees that would help them to identify phishing attacks. The Intrepidus Group, a solutions and consulting company founded by Rohyt Belani and Aaron Higbee, seeks to help companies better educate their employees.
Aaron Higbee, CTO and co-founder of Intrepidus Group, recently told The New New Internet “Our people are the first line of defense.”
Belani and Higbee founded the company following a number of years in security. As they observed the maturation of security in companies, they noticed a lack of focus on the human vulnerabilities within a company.
“One of the things they haven’t really been paying attention to and that hackers are really getting into these days, is the spear phishing vector, so going after human targets,” says Higbee.
Intrepidus Group provides a number of solutions, including Phishme.com, an anti-phishing training solution. The site provides an on-going training platform that can be utilized by companies to train employees to spot phishing attacks.
The training scenarios can range from generic attacks, complete with spelling errors and lines like ‘you have a secret admirer at work,’ to phishing emails that utilize social engineering techniques.
An advantage of PhishMe is that employees are immersed in the real experience, the see “what a phishing email looks like in their inbox, what the URL looks like, and if they have clicked their way through, they get the education, as opposed to the traditional computer bases training where they just try to click through as fast as possible,” says Higbee.
In their testing, the Intrepidus Group has noticed that even generic phishing attacks have a relatively high success rate. One in four individuals would click the link in a generic phishing email the first time it was conducted, even when the email included spelling and grammatical errors.
They also noticed that with more customized phishing attacks (spear phishing) that utilize either social engineering or hijack a current trend (like the Haiti disaster); the first time click rate is around 75 percent.
The success of phishing attacks appears relatively consistent across sectors as well. In a test with a security department at a large financial institution, over half of the information security professionals were taken in by the phishing attack.
Ultimately, the goal of Intrepidus Group is to help clients consistently drop that statistic until it is near zero. The model of Phishme.com is a subscription service that utilizes continuing education.
The services offered by Intrepidus Group span a variety of sectors and include public and private sector customers. Government contractors make up a significant portion of their clientele as well as members of the financial sector and law firms.
“They are starting to realize that the humans are the front line of defense now,” said Higbee.