Sorting
From A to Z
Deployments found: 17
Background
As one of the biggest home protection brands in North America, ADT Security Services is synonymous with security. When it came to building their enterprise-wide phishing defense program, the company knew it needed to partner with a proven leader with the ability to scale to meet ADT’s evolving security needs.
Cofense quickly became the clear choice as ADT’s partner in phishing defense. Jerry Magginnis, an ADT security architect, was familiar with Cofense’s phishing simulation and behavior conditioning technology, having worked with the vendor at a previous job. There, he had seen Cofense PhishMe® significantly decrease phishing attacks. “When I joined ADT, I shared my previous experience and success with Cofense with my new management team,” he recalls.
Challenges
As a large organization with more than 20,000 employees across North America, Magginnis says ADT needed an industrial-strength solution to help prevent phishing attacks.
Cofense PhishMe is an easy-to-use and effective SaaS solution that instructs users on the dangers of phishing by periodically testing them with simulated phishes and supplying immersive training content for users during the simulation. When users receive a simulated phish, they must decide whether the email is legitimate or report it as a suspected phish. This teaches them to recognize the telltale signs of phishing emails, and soon they become adept at identifying and reporting phishes.
Having worked with Cofense before, Magginnis was familiar with the content quality and scalability that Cofense provides, so he didn’t hesitate to recommend it when the subject was raised. Still, ADT had to issue an RFP as per company policy. Tom Dennison, Chief Information Security Officer at ADT was involved in the early RFP stages, but soon identified that Cofense stood out from the competition. “It simply came down to who is the most advanced in the industry and who is the most effective,” notes Dennison. “We felt that Cofense is the clear leader in this space.”
Solutions
Smooth Rollout
Having made the decision to implement Cofense PhishMe, ADT developed a phased rollout plan that included an initial implementation limited to the 20 members of the IT security department. A rollout to the 200-employee IT staff followed. The next phase covered about 1,000 employees at company headquarters, after which Cofense PhishMe was implemented company-wise. Currently 21,000 employees are using it, and another 4,000 from a recent acquisition soon will be added.
This methodical approach allowed the security team to evaluate users’ responses and make adjustments as needed. “You want to make sure that you have a successful launch, and that you’ve worked out all the details,” Magginnis says.
Thus, the user adoption for Cofense across the organization has been quite positive. If the launch went awry, it would irritate users, who would question the program’s value, he says. “You really want people to embrace it and feel they’re getting value as opposed to being bothered by it. We involved all the tech teams, and the legal and HR staff as well. They all felt all involved. And since we did that early, they all felt like they were partners in the process.”
That’s why the security team started small – and used itself as guinea pigs. “Along the way, we kind of worked out any potential issues and decided what the future content of the program was going to be,” Magginnis says.
The first simulation brought relief and confirmation because the solution worked “exactly like you think it’s going to work” and proved to be “as easy as it looks,” Magginnis adds. “That’s a huge feeling of success.”
Crafting Successful Scenarios
That first simulation targeted the security team and consisted of a fake email pretending to be an installation of Microsoft Office 365, which the company was in the midst of rolling out. It was a custom scenario created by the security team – one they knew would work well. ADT has since used a combination of custom and Cofense pre-set scenarios in subsequent simulations. With each one, Magginnis says, susceptibility to phishing has decreased.
In addition to Cofense PhishMe, ADT has rolled out Cofense Reporter®, which organizes and normalizes user reports of phishing attempts to strengthen threat-detection capabilities. Reporter works by placing a button on emails that users can click whenever they suspect a phish. The email is then routed to the security team, which checks if it is a simulation, a legitimate email or a phish.
Before deploying Cofense Reporter, users had to create attachments of suspicious emails that they then would send to the security team. “That’s quite a bit to ask of most users – and not always done correctly.” The button makes the whole process easier, and users get an immediate response after clicking it. When users correctly report a simulated or real phish, they receive a “job well done” acknowledgment.
Business Results
Quick ROI
The anti-phishing program has been well received, Magginnis says. “From our CEO on down, everyone recognizes the value of this because even the executives themselves have been subject to phishing attacks.”
Dennison and other technology management have been so pleased with the initial anti-phishing program that approvals have been granted to expand the program. ADT is exploring adding Cofense Triage, which automates prioritization, analysis and response to phishing threats. “Improving our incident response efforts is a major priority for us,” notes Dennison. “Cofense Triage provides opportunities to clearly automate and prioritize threats that could positively impact incident response times.” The company also has augmented its anti-phishing efforts by asking users to take advantage of Cofense’s complimentary computer-based training modules explaining the dangers of phishing.
As for a return on investment, the Cofense solutions already have proven their worth by reducing staff time allocated to responding to phishing threats. According to Magginnis, those staff hours have been cut in half. “This isn’t conjectured. We’ve made the calculations based on the lost productivity due to time spent by the mail, proxy and SOC groups on phishing attack responses.”
Conclusion
Magginnis enjoyed a positive experience working with Cofense staff and engineers taking the anti-phishing program from deployment to maturity. “Since the initial rollout, the Cofense support team has proven always helpful and accessible, making sure we’re crossing all the Ts and dotting the Is. The results speak for themselves.”
Magginnis has high praise for the Cofense team. “There seems to be a special culture at Cofense. You find people that genuinely care and put the word ‘partner’ back into the relationship. We’ve really partnered with Cofense because they’re willing to do whatever it takes to help us create an anti-phishing culture at ADT.”
Thanks to the combination of technology and people, Magginnis would be glad to recommend Cofense to any of his peers.
Summary
AES turned to Cofense to support their awareness testing of 19,000 employees and contractors across 17 countries in multiple languages. Using a combination of Cofense PhishMe® and Cofense Reporter®, AES has seen strong improvements in the recognition of suspicious emails, decreasing its workforce’s susceptibility while increasing the reporting of real phishing threats.
Background
The AES Corporation is a Fortune 200 multinational energy company that generates and distributes electricity across 17 countries and four continents using a broad portfolio of fuels and technologies, including market-leading battery-based energy storage. With revenues of $14 billion and $36 billion in assets, AES has a workforce of 19,000 employees and contractors.
Challenges
With locations, employees and cyber-defenses scattered throughout the world, AES needed effective and easily customized anti-phishing training support. This meant running phishing simulations to condition employees who speak many different languages — English, Spanish, Portuguese, Vietnamese and Bulgarian, to name a few—and who work in diverse environments with varying cybersecurity regulations.
“Cofense recently reported that 91% of cyberattacks start with a phishing email,” says David Badanes, Director of Cybersecurity Strategy at AES. “On the defensive side, we have to be right 100 percent of the time. Conditioning our people not to click malicious emails is critical to our primary value of safety.”
The Cofense PhishMe Difference
Before deploying Cofense PhishMe in 2016, AES worked with a different anti-phishing solutions provider. “The results were unremarkable,” recalls Goodhart. “But then we were introduced to Cofense, and the level of sophistication in their approach was apparent. It’s the difference between saying something and building a culture around something. Because of our partnership with Cofense, I now have employees who are much more skilled at identifying phishing emails.”
Multi-language Support
Currently, 19,000 people in 17 countries are being trained to recognize and report phishing threats. With each simulation, AES personnel become more adept at spotting potential phishing indicators such as misspellings, unnecessary hyperlinks and attempts to play on people’s emotions.
“What’s especially impressive is that AES has gradually increased the complexity of simulated phishes, and the level of awareness among employees has continued to grow,” notes Goodhart. “It’s no easy feat, considering the simulations cover people in different age groups with varying degrees of technical savvy as well as different languages and cultures. This requires each simulation to employ a fair amount of customization.”
Cofense Reporter and Cofense Professional Services
AES also uses Cofense Reporter, a solution that allows for quick user reports of phishing attempts. With Cofense Reporter, AES personnel simply click an icon to send suspicious emails to their company’s security team for analysis. This generates streams of human-based phishing intelligence to aid in threat detection and speed incident response for security operations teams.
To develop custom reports and further enhance their phishing defense program, AES relies on Cofense Professional Services. For example, a Cofense consultant showed the AES team how to use different tactics in creating phishing simulations and to tailor phishes by region and language.
An “Exemplary” Approach to Cybersecurity
According to Badanes, if the company had to decide on only one cybersecurity training component to keep, it would be Cofense simulations. He believes these simulations exemplifies AES’ primary value of safety and the company’s approach to cybersecurity.
“Cyber events could cause physical damage and — potentially — loss of life,” he says. “With electrical power, you must put safety first. Meaning both physical safety and cybersecurity. We train every person in our organization to think about ways to be cyber safe because cybersecurity is everybody’s job.” Attackers, he notes, will keep trying to come up with ways to get into networks. “Cofense helps ensure they don’t succeed.”
A leading Australian aviation company wasn’t going to wait for disaster to strike before strengthening its phishing defense.
“We were lucky enough to have forward-thinking management,” said the General Manager of Technology and Innovation. “We hadn’t suffered losses from phishing, but our board of directors grasped the threat, so they instructed us to launch an anti-phishing program.”
He added, “Because we’re in aviation, we have a lot of visibility. If a phish led to a security incident, our name would be in the headlines. We need to protect not only our data but our reputation.”
Solutions and Results
The company implemented Cofense PhishMe to help users spot phishing and Cofense Reporter to enable one-click reporting. With Cofense PhishMe, program administrators are able to simulate phishes and educate users on how to recognize them.
When the company announced the program, it clearly explained the goals and methods. The announcement also educated users about phishing, including a sample simulation. This transparency paid off. From the first round of simulation training to the next, user susceptibility dropped by 10%. And users who clicked an embedded link dropped by 9%.
“The results to date are encouraging,” said the General Manager. “We know that our metrics are affected by the complexity of simulations, the emotional levers they pull, and the user groups we target. As we continue to move forward, we’ll be basing our simulations on attacks we’ve actually seen.”
Next Steps
He plans to further customize simulations by team and location, using Cofense PhishMe’s adaptable templates. “We understand that the people and organizations behind these attacks are smart,” he said. “They mimic trusted people and brands and refine their deployment methods to evade automated safeguards. You can never become complacent.”
Now that Cofense Reporter is deployed across all teams, the company is better able to promote and track email reporting. “To measure success, we first look at the number of users not opening and/or reporting potential threats,” said the General Manager.
“Next, and possibly more important, we examine the number who report after they may have inadvertently opened an email. Basically, we identify employees that may be vulnerable, give them the training they need, and report this up to the board of directors.”
Underscoring the point he added, “Initially, some people at our company thought the program was unnecessary. They believed our automated systems and firewalls gave us enough protection. This was dispelled when security professionals fell prey to Cofense simulations.”
Even better, “Our security teams are stopping attacks reported by employees.”
Background. A diversified energy and utility company with more than $30 billion in assets and operations in 25 states. The company operates regulated utilities and electricity generation through two primary lines of business and includes eight electric and natural gas utilities, serving 3.1 million customers in New York and New England. The organization operates 6.3 gigawatts of electricity capacity, primarily through wind power, across the United States, as well as employs 7,000 people.
Challenges. Energy providers face a cybersecurity double whammy: An attack could cut power to thousands of customers and cause millions of dollars in damage. And, since the company is subject to North American Electric Reliability Corporation Critical Infrastructure Protection (NERC/CIP) regulations, it risks incurring fines up to $1 million per violation per day.
Solutions. An anti-phishing solution had to meet several criteria – ease of use, a good value, compatibility with other systems, and actionable data delivery. After evaluating a handful of solutions, the company decided to conduct a limited proof of concept of Cofense PhishMe. The results sold the energy company on Cofense PhishMe.
A cloud-based SaaS immersive learning platform, Cofense PhishMe works easily with all major web browsers. It instructs users on the dangers of phishing through periodic simulations. Users have to decide if suspected phishes are legitimate or report them as suspicious. “Because we are a global company, we looked for a phishing platform that was extensible. Cofense PhishMe fit that bill because of its worldwide presence and multi-language capabilities,” the cyber security manager says.
Results. The energy company launched its simulation program on a small scale by targeting company executives and their assistants. Over an eight month period, they expanded it to include HR, customer service, legal, corporate security and finance personnel. Each time, the phishing team shared results and susceptibility levels with management. It soon became clear departments that had already experienced phishing simulations had lower susceptibility rates. This proved that training and simulations work. Since leveraging Cofense, the energy company has seen employee susceptibility trends decline.
Conclusion. The manager says in theory, the energy company could lose $3 billion in market valuation if it suffered a serious data breach. “If Cofense can help us prevent that, and if it can help us keep the lights on and the natural gas flowing for our customers, that’s a big deal.” The company has calculated the cost of each simulation at approximately 60 cents per employee. That’s a reasonable price, considering the improvements in susceptibility rates and the attacks the company may have already averted thanks to heightened phishing awareness, the manager says. “Because we work for an energy services company, we have a duty to protect the grid. One of the ways we do that is by encouraging our employees to step up and accept that higher responsibility – to teach them to stop and think before they download an attachment, for instance. And we believe Cofense will continue to help us do that and prevent bad things from happening.”
Background. With some 61 million customers, Generali is Italy’s largest insurance company and one of the world’s most recognizable financial services brands. As part of a comprehensive overhaul of its security programs, Generali decided to focus on phishing awareness. “The number of attacks targeting us was increasing,” said Francesco Nonni, Head of IT Operations & Security Risk at Generali. “We were seeing phishing attacks of all types and employees weren’t sure how to respond.”
Solutions and Results. Generali chose to use Cofense PhishMe and Cofense Reporter to teach employees to recognize and report evolving phishing threats. Why Cofense? “You offer so many different templates for phishing simulations based on real threats,” Nonni said. “Also, the solutions are easy to implement.” “With Cofense PhishMe and Cofense Reporter, we can easily gather statistics on phishing resiliency and susceptibility,” he added. “By sharing results across the company, we created a shared understanding of our readiness and where to improve.”
Are employees getting the message—are they reporting phish? “Absolutely yes,” he said, “both in simulations and in real life. Our simulation results are trending in the right direction—reporting is increasing and susceptibility is dropping. We use the Cofense benchmarks for our industry specifically and across verticals, so we can compare our level of awareness and exposure. We know where we stand and are able to put it in context.” Even better, “Employees are now helping security teams stop real phish,” he said. “Now it’s easy to report an email that might be part of a real attack. One click of Cofense Reporter is all it takes. When that happens, our security operations teams are able to respond faster.”
Implementation & Peer-to-Peer Advice. Once Generali’s phishing defense program was up and running, Nonni launched their first simulation. While the solutions worked seamlessly, the results showed that the company had its work cut out. “A lot of people clicked,” he said, “and reporting levels were low. That wasn’t surprising, since it was our first campaign.” There was a silver lining, though. Armed with data, Nonni was able to further underscore the risks of phishing and generate more support from corporate leadership. He recently launched a simulation campaign in 11 countries across Europe and Asia. “The campaign is still ongoing, but the results are encouraging,” he said, “We’re learning that click rates often vary from country to country. We prepared content on a more global level and asked local offices to translate to their language and manage the rollout to their teams. Depending on the country and the culture, the local communications department might try different tactics to promote the awareness program and keep employees engaged.” As a global financial services leader, Generali continues to see high volumes of phishing emails—real attacks that trained employees are reporting more consistently. “We see a lot of spear phishing attacks targeted to our managers, along with crypto-lockers, credential phish, and business email compromise. We’ve started to model our simulations after attacks that we receive, for example, phishing emails with malicious attachments.”
A few years ago, a global consumer product goods company with 40K employees in over 100 markets had no formal anti- phishing program. Knowing the threat was growing and its security team needed help, the business began using Cofense PhishMe to measure employee’s susceptibility to suspicious emails and Cofense Reporter to report them with one click. Later, the CPG firm deployed Cofense Triage to help incident responders recognize threats and remediate them faster.
According to the company’s head of security awareness, 28 percent of employees, as well as third-party contractors, clicked on bad emails during initial Cofense simulations. “That was a wakeup call,” she said. “We knew we needed improvement, but thought we were in better shape than that.”
Implemented simultaneously, Cofense PhishMe and Cofense Reporter proved a powerful combination. Cofense PhishMe tested employees’ susceptibility to phishing under simulated conditions. And Cofense Reporter “relieved employees of having to figure out whether and how to report a suspicious email,” said the head of security awareness. “If they had any doubts, they could report an email with a single click and get on with their day.” For that reason, the company installed Cofense Reporter on devices before deploying Cofense PhishMe.
Companywide reporting climbed to 43 percent, with some key departments reporting at over 90 percent.
While metrics continue to improve, including phishing susceptibility rates under 10%, “Our leadership wants to know that we’re always getting better. Cofense lets us demonstrate that. We can’t just do the same basic simulations over and over. With Cofense PhishMe, it’s easy to customize more complex phishing scenarios. Over time, we’ve made the exercises more advanced, personalizing emails by name and company logo, to reflect what’s happening in the real world.” The company also needed a central storehouse where suspicious emails could be forwarded and automatically prioritized. With training and implementation help from Cofense professional services, the CPG leader now has a dedicated, purpose-built mailbox where employees can forward suspicious emails. Cofense Triage automates the process of distinguishing threats from noise.Before, incident responders spent hours sifting through emails. Now, 80 percent of reported emails are resolved automatically – just 20 percent require active attention.
The solution’s clustering capability helps identify larger phishing campaigns, so the incident response team can address them swiftly. “Our incident responders are making much better use of their time now. They can recognize and respond to a real incident, instead of sifting through tons of emails before stumbling upon something important. Cofense Triage improves the quality of work our responders can do.” With low susceptibility rates and reporting rates steadily rising, the head of security awareness reports that “employees have become an important line of cyber defense.” And thanks to the automation and analytics of Cofense Triage, “we’re not drowning in information anymore and can act on threats right away.”Background and Challenges. In 2015, this consumer product goods (CPG) leader had no formal anti-phishing program. Knowing the threat was growing and its security team needed help, the business began using Cofense PhishMe® to measure employee’s susceptibility to suspicious emails and Cofense ReporterTM to report them with one click. Later, the CPG firm deployed Cofense TriageTM to help incident responders recognize threats and remediate them faster.
According to the CPG company, 28 percent of employees, as well as third-party contractors, clicked on bad emails during initial Cofense simulations. “That was a wake- up call,” said the CPG company’s head of security awareness. “We knew we needed improvement, but thought we were in better shape than that.” Employees needed help in spotting potential phishes – especially critical departments more heavily targeted by attackers.
Moreover, the company needed a central storehouse where suspicious emails could be forwarded and automatically prioritized. Incident responders had to spend hours sifting through 500 to 1000+ emails reported daily. Instead of focusing their efforts on dealing with real phishes – not to mention the myriad other security issues they faced – responders wasted time manually sorting through the clutter to distinguish threats from noise.
Solution and Results. While metrics continue to improve, “Our leadership wants to know that we’re always getting better. Cofense lets us demonstrate that. We can’t just do the same basic simulations over and over. With Cofense PhishMe, it’s easy to customize more complex phishing scenarios. Over time, we’ve made the exercises more advanced, personalizing emails by name and company logo, to reflect what’s happening in the real world.”
- Fewer than 1 in 10 employees now click on simulated phishes
- Up to 9 in 10 employees in some critical departments correctly report simulated phishes
- Just 20 percent of reported emails are personally triaged by incident responders – thanks to automation
Our company started working with Cofense several years ago. We began to launch phishing simulations and also deployed the Reporter button. We saw our phishing susceptibility rate drop steadily and user reporting go up. Today, our reporting rate in simulations is around 60%.
Even better, team members are reporting real phishing emails that got past tools like secure email gateways (SEGs). With such good results, we went straightaway into using Cofense Triage and Intelligence as well. We don’t want team members to spend a moment thinking, okay, this email I got — is it really a phish? Even if it’s an internal email, we tell them to report it and Triage will take care of it. Cofense Reporter sends our SOC analysts a clean set of emails, properly formatted, with all the information they need. Then Triage handles noise reduction, so analysts spend time only on genuine phishing threats.
When they look at an email, they can easily see which other team members received it and, if necessary, pull it from their inboxes. We also sometimes see clients whose emails have been compromised and used in phishing attacks. Our team members are familiar with the email addresses but they don’t click, because they know the language is odd or something else is off. In one instance, when we notified the client they were able to alert their entire customer base within a day. Normally, when we reach out to compromised clients they aren’t aware of the problem. This has happened often enough that our clients, along with our internal teams, see the benefit of what we’re doing. Our security team likes the Intelligence product because it’s based on emails that bypassed security rules. The team also says the intel correlates with what they see. Some intelligence products flag these same threats, but not as quickly. The team’s overall opinion is they love the product—it’s really useful. My team in security awareness feels the same about Cofense PhishMe. We had used products from other vendors with not much success. We weren’t able to do monthly phishing simulations, so we had to settle for periodic simulations. As soon as we got on board with Cofense, we could easily run monthly exercises. That dropped our susceptibility rates pretty rapidly. Why is it important to do monthly exercises? Well, not doing it every month wasn’t working. We used to have susceptibility rates around 25%. While our rates have dropped, we also realized we would never get to zero clicks, so reporting is the key metric. Working with Cofense, we show value by helping to stop phishing attacks technology missed. It’s hard to get a dedicated budget for security awareness. But teams across the company understand what we’re doing. People talk about it, including the board of directors. They know that data protection is our number one risk.
Our program has received a lot of visibility and that’s been awesome. It’s really driven security awareness and made our company much more secure. By: Information Security Analyst, Global Financial Services Company
Even better, team members are reporting real phishing emails that got past tools like secure email gateways (SEGs). With such good results, we went straightaway into using Cofense Triage and Intelligence as well. We don’t want team members to spend a moment thinking, okay, this email I got — is it really a phish? Even if it’s an internal email, we tell them to report it and Triage will take care of it. Cofense Reporter sends our SOC analysts a clean set of emails, properly formatted, with all the information they need. Then Triage handles noise reduction, so analysts spend time only on genuine phishing threats.
When they look at an email, they can easily see which other team members received it and, if necessary, pull it from their inboxes. We also sometimes see clients whose emails have been compromised and used in phishing attacks. Our team members are familiar with the email addresses but they don’t click, because they know the language is odd or something else is off. In one instance, when we notified the client they were able to alert their entire customer base within a day. Normally, when we reach out to compromised clients they aren’t aware of the problem. This has happened often enough that our clients, along with our internal teams, see the benefit of what we’re doing. Our security team likes the Intelligence product because it’s based on emails that bypassed security rules. The team also says the intel correlates with what they see. Some intelligence products flag these same threats, but not as quickly. The team’s overall opinion is they love the product—it’s really useful. My team in security awareness feels the same about Cofense PhishMe. We had used products from other vendors with not much success. We weren’t able to do monthly phishing simulations, so we had to settle for periodic simulations. As soon as we got on board with Cofense, we could easily run monthly exercises. That dropped our susceptibility rates pretty rapidly. Why is it important to do monthly exercises? Well, not doing it every month wasn’t working. We used to have susceptibility rates around 25%. While our rates have dropped, we also realized we would never get to zero clicks, so reporting is the key metric. Working with Cofense, we show value by helping to stop phishing attacks technology missed. It’s hard to get a dedicated budget for security awareness. But teams across the company understand what we’re doing. People talk about it, including the board of directors. They know that data protection is our number one risk.
Our program has received a lot of visibility and that’s been awesome. It’s really driven security awareness and made our company much more secure. By: Information Security Analyst, Global Financial Services Company
I’ve managed our company’s security awareness program for three years now. We launched it after a handful of successful spear phishing attacks, realizing that we needed to do a better job of educating users. We wanted a solution to help them spot suspicious emails, one with strong metrics to help track progress. That’s why started using Cofense PhishMe and Reporter.
We now send monthly simulations to 60,000 users. Our reporting rate is often around 30 percent.
We use PhishMe to run monthly simulations with our global users, all 60,000 of them. The first year of the program our click rate was up around 25 percent. Now we’re under 10 percent, so it’s definitely making a difference. In fact, we used to say that a click rate of 10 percent was good, but now we shoot for eight percent. I get a lot of positive feedback from people in different departments. They’re interested in the metrics: how is my team doing compared to other teams? For example, our legal department used to be dead last, but after working with me to educate their team their performance has really improved. The companywide results have been mostly good. In April of 2019 we did a Package Delivery scenario, which got a click rate of only 6 percent and reporting rate of 29.6. In July, we ran a Quarantine Email phish where 7.21 percent failed, with reporting just under 23 percent. I do a quarterly newsletter where I stress the importance of reporting suspected phish. We call it out prominently: ‘When in doubt, report!’ We want people to know that if they don’t report, the SOC won’t know about a possible phishing threat.
There are only so many ways to tell people what to look for in emails. The best way help them is through reiteration.
Our SOC tells us that user reporting definitely gives them better visibility to threats. The SOC now has Cofense Triage to sort through reported emails faster, filtering out the harmless ones—like my employee awareness newsletter!—from real phishing threats. They love it. They get thousands of email reports every single day, so Triage saves them a ton of time. The team no longer has to guess about the true nature of an email.
The SOC has blocked a lot of emails that users reported and Triage verified.
Our incident responders see all types of phishing emails, especially credential phish. Recently, there’s been a huge increase in sextortion emails, where the sender uses information from accounts that were compromised in breaches like the LinkedIn hack, to scare the recipient into making a payment. The SOC has also been seeing a rise in file-sharing malware as well, with emails containing links to box.com, SharePoint, We Transfer, and the like. Talking to the SOC is an important part of our awareness. I’m working on creating a process to get this information as a matter of course, so if something is a big concern we can work it into our simulations.
Background. This company’s VP of Information Security inherited a strong anti-phishing program. The organization had been a Cofense client for about a year. It used Cofense PhishMeTM and Cofense ReporterTM to condition users to recognize and report suspicious emails, then added Cofense TriageTM and Cofense IntelligenceTM to shore up incident response.
Challenges. When the VP came onboard, his challenge was to take phishing defense to the next level. How could the organization make its anti-phishing more complete? How could his team refine their strategies to stay ahead of evolving threats? The answers came in a number of innovations they rolled out.
Solutions. Using Cofense PhishMe to run phishing simulations, the company mixed in harder scenarios to keep employees alert. The toughest one was an email titled “Time-Off Requests,” which told recipients they had gone over their limit for personal time. It asked employees to click a link to take care of the matter. Thirty-seven percent of recipients took the bait. When employees received a similar email a year later, the susceptibility rate dropped to 22%—still high, but a noticeable improvement. “We have the kind of culture that likes to push the envelope,” said the VP. “We want to make sure our anti-phishing tactics are challenging and relevant. So, we keep our eyes peeled for new and emerging threats.” His team sent another irresistible email during the 2016 presidential election. With emotions running high as Hillary Clinton and Donald Trump battled, the email, purportedly from HR, reminded employees of the company’s policies on political activities at work, asking them to click a link to show they understood and agreed. “It was a good reminder not to be complacent,” the VP said. “A lot of people bit on that one.” Other top- performing scenarios: “Package Delivery” and tax-related emails in the run-up to April 15. A best practice the VP recommends is to keep HR and other departments in the loop. “You can’t send a phish supposedly from HR without working it out with them beforehand,” he said. “They need to prepare for more calls and emails when certain simulations go out. Once they’re in your corner, everything goes more smoothly.” To keep email reporting rates high, the VP launched a Phishing Bounty Program. It gives rewards to employees who use Cofense Reporter to report a verified malicious email. “We’re really proud of this program,” said the VP. “Employees participate enthusiastically and the rewards are way cheaper than a breach or ransomware incident. Plus, we notify managers to give credit to vigilant people.”
Results. By steadily innovating, the VP of Information Security is expanding and refining his company’s phishing defense. To bolster phishing awareness, his team will keep adding harder-to-identify phishing scenarios. To maintain high reporting rates, the Phishing Bounty Program will keep humming along. And the team has recently complemented Cofense Triage with capabilities to automate the retraction of malicious emails. Attackers looking to make a quick buck—who think healthcare security is softer than in, say, financial services—will always target the company. It’s one reason why an aggressive phishing defense is a must. Another reason: in healthcare, ransomware can be a matter of life or death. “We supply data to healthcare practitioners on, for example, medication or other supplies,” said the VP. “If a ransomware attack succeeded, we’d be in a difficult spot. By enlisting the entire organization in awareness and response, we can reduce this risk—and a host of other vulnerabilities, too.”
Background. The company is the largest third-party administrator of employee health plans and benefits in its four-state region. In business for more than 20 years, the company employs about 130 people and administers plans for nearly 75,000 members.
Challenges. As an employee benefits administrator, the company handles its members’ most sensitive data – personal health information (PHI) and employment benefits. Any phishing attack that compromises members’ private data could seriously hurt the business. “In our world, phishing and educating our users about phishing is the No. 1 priority. That means we need to get people more involved and give them more tools to help them understand and recognize a phishing email,” says the company’s manager of IT and infrastructure.
Solutions. When the company ran its first simulation, more than one-third of its users failed the test, he recalls. Of 127 users tested, 46 clicked the simulated phish. “So, we knew we had a problem that needed to be addressed immediately.” The IT department followed up the simulation by disseminating instructional materials biweekly to users. “In the next six weeks, we went through the education process of shooting out education emails and having discussions internally with departments and departments heads,” he says. When the second simulation was conducted, the number of users who clicked the simulated phish dropped to 21, less than half the original number. Since then, the company has run simulations monthly, picking a different scenario each time. “With each scenario that we push out, we drop a couple more people off that list. However, I’m still seeing an issue with repeat offenders,” he says. To address the issue, the IT department has been sending extra educational materials to the repeat offenders and then testing them with a rerun of the simulations they fail. The process is working, he says. The overall number of users clicking simulated phishes is down to less than 10%, and he is working to shrink that to 1%. “We just continue to see the needle go the other direction, which is very good,” he says. Another positive result, he says, is an increase in users notifying the IT department of phishing emails. “We are feeling more confident in our users as a line of defense for keeping our company secure and safe.”
Results. The company found that implementing Cofense PhishMe SBE was straightforward. The company had already loaded the solution for a trial, and the IT staff knew what to expect when it came time for the permanent installation. The biggest change was to organize the Cofense PhishMe SBE dashboard by department to help identify which groups of employees have the highest susceptibility rates and, as a result, require additional education.
Conclusion. Company management has fully embraced the anti-phishing program. “The execs were on board from the beginning,” he says. He keeps them up to date on simulation results, sharing with them monthly reports that break down susceptibility rates by group. “I sit down with the executives and walk through what trends we’re starting to see, both negative and positive.” Preparing the reports is easy, requiring only a few clicks to compile the necessary information and then formatting it as a PDF. Based on his experience with Cofense PhishMe SBE thus far, the IT manager says he would gladly recommend it to peers. The educational and behavioral-conditioning components are especially valuable. “It’s so user friendly and makes life easier. Having the education piece that Cofense provides is fantastic, and that would be my biggest talking point if I were recommending Cofense to another company.”
Background. United Community Bank (UCB) is a $10.4 billion regional banking institution with 140-plus branches across Tennessee, Georgia, South Carolina and North Carolina. The company employs nearly 2,000 people who use email throughout the business day. Management wanted to ensure all employees use email safely and have the ability to recognize a phishing attempt when one crosses their inboxes. Phishing defenses are especially critical to banks since they are a favorite cybercrime target.
Challenges. UCB chief executives have seen their fair share of phishing attempts in their inboxes, according to UCB Chief Information Security Officer Jim Stewart. But while an executive may have a stronger nose for sniffing out phishing emails, management worried the majority of employees may be less attuned to the threat.
“We decided we needed to condition our employees against phishing,” Stewart says. Doing so wasn’t without challenges because “there’s a fine line between security and service.” If you lean too far in one direction and block everything that looks suspicious, it could be at the expense of responding to customers. Since world-class customer service is what distinguishes UCB from larger competitors, the company needed the right vendor to provide a scalable phishing solution while saving UCB time and effort.
Results. The first simulation targeted the bank’s 14-member technology steering committee. Ramp-up time was limited because the committee was scheduled to meet two weeks after deployment, but thanks to the ease of installation, UCB completed the test successfully. “With a lot of other security solutions, we just wouldn’t have tried to run a proof of concept in that short time frame,” noted Stewart. “It’s usually impossible. But with Cofense it was just easy.”
As simulations continued, department heads became invested in the program, even treating it as a competition. Our chief legal counsel, whose staff had scored particularly high, Hucko says, “sat everybody down, put them through extra training and really emphasized the importance of understanding the effects of a potential phishing attack on the company. Ever since that meeting, his group has had the lowest susceptibility in the company.”
Stewart credits the Cofense team with making the implementation straightforward. Whenever he’s had a question or request, the team has responded promptly and effectively. For instance, the team obliged his request to parse users by job title and location. Per Stewart, Cofense has provided solid guidance and support, “all the way from sales and demos to contract implementation to post implementation support. Time is of the essence in everything we implement so when something’s that easy, you start out of the gate with a very positive feeling about it.”
Conclusion. Stewart initially had some misgivings about an anti-phishing campaign. “It feels a little bit devious, like you’re trying to trick your employees.” Then he realized while he was thinking about the situation “with a conscience,” attackers have no such moral quandaries. A company of 2,000 employees is a company with 2,000 potential vulnerabilities. Using a little deviousness to determine phishing susceptibility and which employees are the most likely to click suspicious emails is a small price to pay to prevent a phishing attack. Cofense, Stewart says, has helped turned those 2,000 vulnerabilities into 2,000 defenders.
In 2012, a phishing email triggered one of the largest cyber-attacks ever, aimed at a large Middle Eastern oil and gas company. In the wake of the attack, organizations worldwide redoubled security investments. One such organization was a top university whose students, faculty, and administrators hail from around the world.
The school’s Head of Information Security made antiphishing a top priority. He partnered with Cofense to train his users to recognize and report suspicious emails.
Challenges
“My mandate was to do everything necessary to protect the university community,” said the Head of Information Security. “We invested in technological solutions, but with thirty years of IT experience, I know that you need to invest in people, not just processes and technology. You need to make them human firewalls.”
“Look at it this way,” he added. “You can put five locks on your door, but if you leave the keys under the doormat, the locks don’t do much good. Fortifying the human firewall is my utmost priority. The human element is the most important part of your defense.”
Cofense PhishMe and Cofense Reporter
The Head of Information Security adopted a “use it well or lose it” approach to email and Internet access. “My position is that access to online services is a privilege, like having a driver’s license,” he said.
“You go to the DMV to get your license and the police monitors and enforces good behavior. If your behavior is lacking, you get negative points, or possibly even lose your license for a time. I decided that the best way to encourage good user behavior was through a similar points-based system.”
He started using Cofense PhishMeTM to send simulated phishing emails to university users. He also introduced the Cofense ReporterTM button, a one-click way for users to report suspicious emails to the incident response team.
Those who show good behavior, who recognize and report phishing, gain positive points and are eligible for gifts. Those who exhibit poor behavior accrue negative points. Too many of these could result in temporary loss of Internet access. To avoid that, users can take advantage of phishing education training, then pass a quiz to regain good standing.
“When we launched our anti-phishing program, our susceptibility rate was hovering around 55 percent,” said the Head of Information Security. “Now it’s 11 percent. And the reporting rate has gone from a pretty low number to 50 percent. We’ve made very good progress. The Cofense solutions work beautifully.”
He occasionally sends trickier simulations to keep users on their toes. “One recent scenario netted a 20 percent susceptibility rate, but the reporting rate was still at 50 percent. That’s our #1 KPI: keeping reporting well above susceptibility.”
He noted, “You need to remember certain factors to get an apples-to-apples comparison. That’s why when we benchmark our test results, we use what we call a ‘difficulty criteria model,’ which factors in the complexity of our various scenarios.”
Looking Ahead
Since the university launched its anti-phishing program, phishing attacks worldwide have grown. Researchers at the Anti-Phishing Work Group report the volume of attacks rose in 2017, targeting more organizations than ever. Nation-states continue to use phishing to pursue their goals.
To keep its phishing defenses strong, the university is continuing its simulation training, as well as the points-based system for promoting phishing awareness. The school has also recently purchased Cofense TriageTM, a platform that automates email analysis for faster threat response.
“Our team protects students and anyone else using the university’s systems,” he said. “We have users whose technical savvy and online habits vary a lot. It’s important to get everyone involved in cybersecurity, especially phishing defense. We have a lot at stake.”
Background. As a cyber security specialist and managed security solutions provider (MSSP), eSecure helps businesses of all sizes protect against cyberattacks. The company, which has offices in Australia and the UK, partners with Cofense to deliver phishing defense solutions. According to eSecure CEO CIinton Smith, the company decided on Cofense because, “The Cofense approach is a very practical and real way of educating a broad audience about cybersecurity threats. It enables us to demonstrate that we’re invested in understanding and strengthening our customers’ security by offering the very best-of-breed technology.”
Solutions and Results. Cofense PhishMeTM, which simulates attacks to educate users, has been “stellar” in raising phishing awareness. “To succeed, we have to help our customers change their culture,” said Smith. “While most organizations are aware of phishing, levels of awareness vary amongst their own people. The security teams are naturally clued in, but individual users often expect that their employers are going to protect their mailboxes.” Smith noted that customers are seeing more phishing attacks on cloud services. “As organizations move their business operations to the cloud, those cloud-based applications like O365 and SharePoint become a natural target for exploitation,” he said. “Cofense helps our customers identify and respond to these attacks, and to other types of attacks, much faster. That’s a great benefit, since some of the attacks you see in the news have been quite devastating.” “Budget pressures point to an outsourced solution. The economies of scale simply make sense. Plus, small and medium-sized businesses realize it’s smart to distribute their cybersecurity, instead of relying on one staffer to manage everything. When that person goes on annual leave, the gap becomes too risky.” He added that customers are increasingly comfortable with a hybrid approach. “Often, customers manage certain security functions themselves and outsource other functions, for example, phishing defense,” he said.
In Summary. The reaction to Cofense solutions: “Customers love them,” said Smith. “Again, the Cofense approach to phishing defense is quite practical and achieves real results. Let’s put it this way: customers know it’s better to have a good guy doing a security test, if you will, than a bad guy. “Having had long heart-to-heart discussions with CEOs about security incidents, I think it’s usually not a case of a single event exposing their vulnerability. It’s normally a series of events that show a lack of understanding about the threat and relative investment required for effective phishing defense. Once they understand how large the problem is, they realize they can’t afford to build an adequate solution. “That’s where eSecure and Cofense come in. We make it possible for businesses of every size to see and stop phishing.”
Background. A large multinational company was the target of relentless phishing attacks intended to steal intellectual property. With growing alarm, the company kept throwing more people, technology and money at the problem to little effect, until it concluded the answer lay in raising user awareness. For most multinational companies, the issue of “phishing” is an everyday occurrence. For our case study, the company concerned was investing significantly in technology to help defend itself; however, company managers concluded that without engaging end-users as the first line of defense they were undermining this investment.
Challenges. With 8,000 users dispersed through five continents and many other international locations, getting everyone on the same page to fight phishing seemed a huge challenge. In addition to the development of a global IT Security Awareness program, a method of assessing user susceptibility to phishing email was required.
Solutions. As it happened, the company’s North America division was preparing to test an enterprise phishing defense solution, Cofense PhishMe®, so the global security awareness team watched for the results. Pleased with the outcome, the security team knew it had found its phishing defense solution. “We looked at the success in North America and decided to deploy Cofense PhishMe for the rest of the user population,” recalls the client’s security awareness leader. In the most recent test, the company’s susceptibility measured at just under 2%, a stunning drop from 21% before deploying Cofense PhishMe, including less than 1% for employees who took the simulation bait more than once.
Business Results
Rehabilitating Chronic Offenders
The approach is working. The company’s overall susceptibility score of 2% is remarkable considering the number of users. During the last year the average score dropped to 5% from 21%. “Our feeling is that if we are below 10%, we are doing well and certainly below average for susceptibility. Nevertheless, we recognize 2% of 8,000 is still a significant amount of people, so we can’t rest on our laurels too much.”
Choice of Bait
Cofense PhishMe comes with prepackaged phishing scenarios, but customization is available. This client used a package delivery scenario in its first test because receiving a package is relatable to any user regardless of location or cultural customs. “So it’s quite a seductive piece of bait,” says the awareness leader. The company is mindful of cultural, religious and social considerations when choosing bait. The global security awareness team reviews the available scenarios then recommends which to use next. “I very much want my international leads to have the lead on “bait” selection. Rather than the corporate head office telling them what we are going to do, I ask them to suggest what we are going to do.”
Improved Reporting
Getting users to report suspicious emails is never easy, and this client’s experience was no different. “We had a process for them to follow. They had to follow a published process to ensure technical information within the email was preserved so that it could be examined by our experts. The manual nature of the process discouraged people. “It’s easier to just hit delete because they may figure we’re a big organization and someone else has reported it already, or, quite frankly, they just couldn’t be bothered,” says the team leader. Cofense Reporter changed all that by giving users a one- click process to report suspicious emails. “So it’s just as easy as clicking a delete button.” In response, users get a congratulatory message when they spot a phishing test email. If a reported email isn’t a phishing test, they receive a thank you for helping to keep the company safe. “One of the key benefits of this approach is when running a test, reported emails are not sent to the experts – reducing their workload.”
Conclusion. The client couldn’t be more pleased with Cofense. The technology has delivered as promised, and when the company has needed help with troubleshooting or usability questions, Cofense’s tech support has proven responsive and helpful. “We’ve always found their response to be very good in terms of speed and quality.”
The financial industry is constantly targeted by phishing attacks, so our company uses Cofense PhishMe to educate employees. We send monthly simulations because, in our experience, more frequent training helps to raise overall awareness. If you get in the habit of recognizing phishing emails, though you might not see a serious security threat very often, you’ll feel comfortable reporting one if it lands in your inbox. In general, we think that folks who are most at risk should be targeted more often, for example a finance organization that corresponds with outside vendors, versus a group of analysts who never interact externally due to regulations. We’ve found that targeted training is a better predictor than general simulations. These phishing scenarios might be more difficult, but making them tough isn’t the point—the point is to send simulations based on real attacks we’ve seen. It’s important that users understand this isn’t a game of “Gotcha!” We’re trying to help people, not fool them.
We’ve been able to show the connection between phishing simulations and real threats that users report.
Our Cofense support analyst has helped us create reports that show the overlap between simulations and verified threats. We want to know how someone performs on a simulation versus a real phish. The idea is to identify groups that get attacked a lot and the ones reporting the most real phish. We want to see how that interplay works. We’ve used the data to educate people who fall susceptible to certain attacks. We’ve found that most of those users aren’t susceptible in later simulations. They’re paying more attention and reporting at much higher rates. For example, we’ve been able to run targeted custom campaigns using domains and executive spoofing, based on real attacks we’ve seen in our environment.We’ve found that running targeted campaigns resulted in more than 25 percent higher reporting rates, compared to the average user over the next three months.
It’s really exciting to track data and show how it relates to performance, plus how it can shape the next round of simulations. We let repeat clickers practice as much as they need. If an employee clicks on a simulation, rather than just relying on a pop-up page to teach them, we send another phish. If the user clicks again, that’s the learning moment. That person will ask, “What signs did I miss?” They’ll be more aware. To identify real threats, we use the managed version of Cofense Triage. Cofense analysts look at everything that’s reported, pull out any IOCs, and send them back to our SOC. It eliminates a layer of analysis and enables the SOC to scope the campaign immediately. Who else in the organization got the phishing email? Then the SOC can pull those emails from inboxes, so users can’t click on them, and block the sender’s IP address, at least temporarily.One recent phishing email said, “I’m in a meeting and can’t be contacted. Can you help me out?”’....Luckily, some recipients reported it.
That email, a real phish, involved a typo squatted domain, which looked like our domain with one letter changed. The email purportedly came from a senior executive, using a signature block that looked very close to ours. A bunch of users throughout the organization received the phishing campaign and, while some started responding to it, others began reporting. We were able to stop the campaign before any real damaged was done. That was a huge win for us. It was a very sophisticated campaign, so it shows that our training is working. Of course, you’ll never get to zero clicks, so there’s always work to be done.Background. Phishing attacks continue to spike year after year. Recognizing their employees were vulnerable to phishing attacks, a multinational manufacturer of imaging and optical products with more than 18,000 employees in the EMEA region concluded it was only a matter of time before a phishing attack would cause serious damage.
Security Challenges. Phishing is successful because it baits users to open tainted emails that often bypass stringent technology layers to reach the user’s inbox. Employees can be too busy, distracted or trusting to give much thought to possible risks. “There’s always a way to penetrate the organization, or use an employee to get access because, for employees, security is not normally their area of expertise,” says the Information Security Manager at the global manufacturer. “If they see an email, they may not be able to recognize it as legitimate or malicious.” The company decided to strengthen its phishing defenses since most of its efforts to raise awareness about phishing through video and classroom presentations so far had proven unsatisfactory, the company turned to Cofense to help strengthen their anti-phishing programs. “The whole concept of phishing as a service just struck us as genius.”
Conclusion. The client’s ability to catch phishing emails has vastly improved since implementing Cofense PhishMe and Cofense Reporter. According to the client, Cofense’s technical support has remained accessible and responsive throughout the adoption process. “They give results in a couple of hours and they’re very nice people – all of them.” The client notes that compared with other vendors getting support from Cofense is definitely easier. Based on that success, and the technology’s tangible results. The Information Security Manager says he’d have no qualms about recommending Cofense to his peers. When anyone asks him how to deal with phishing, his answer is simple: “Buy Cofense.”