Critical Infrastructure Workers Better at Detecting Phishing
Considering how important and vulnerable critical infrastructure (CI) is, it is not surprising—though it is reassuring—that fresh research showed CI employees are more likely to recognize and report phishing and other malicious emails.
Two-thirds of those from CI organizations who participated in security behavior training programs detected and reported at least one malicious email attack within a year of that training, according to the Human Cyber-Risk Report: Critical Infrastructure study from Hoxhunt. CI companies also recorded a 20% higher resilience velocity—the speed at which threat detection is at its peak in an organization—than other sectors. CI’s high point comes at about 10 months post-training compared to 12 months for organizations in other areas.
“The report showed that while most companies do train for compliance—say, four phishing training events per year—those that engage in more frequent training perform better,” said Timothy Morris, chief security advisor at Tanium.
“Plus, it is evident from the report that behavior modification improves with rewards-based training versus the more prevalent failure models that are used with phishing software awareness training tools,” said Morris. “The adaptive training methods and gamification using AI for their simulations appears to have more positive results.”
Attacks like that on the Colonial Pipeline and JBS foods, not to mention the attacks on water treatment plants in Oldsmar, Florida and California, have proliferated in recent years. Many critical infrastructure entities rely on older systems and software that may present a tempting target to cyberattackers.
“Over the past several years, attacks on critical infrastructure have become all too common, leaving fuel pumps and store shelves empty,” Mika Aalto, CEO and co-founder of Hoxhunt, said in a statement. “In response, critical infrastructure organizations and their employees are exponentially more aware and cautious of malicious activity. This higher state of caution has spurred many security and risk leaders to move away from traditional security awareness programs and choose new innovations like security behavior change products to achieve true risk reduction.”
That is good news for CI organizations that have become attractive targets for threat actors.
“There is no question that the energy sector is one of the top targets for social engineering and phishing attacks across all industries since disruption can have massive downstream economic effects,” said Krishna Vishnubhotla, vice president of product strategy at Zimperium.
“This investment in improving employee cybersecurity hygiene is a positive sign. However, the question is how much they spend compared to other sectors. People always wonder if security training pays off, since disruption can have massive downstream economic effects,” said Vishnubhotla. “Other sectors might not be as incentivized to invest in training without regulatory pressure.”
But the research also shows that CI organizations cannot let up on training—their employees are also among those most likely to fall for spoofed internal organizational communications, which Hoxhunt said is the most effective phishing attack regardless of sector. Still, researchers wrote that such attacks have an 11.4% higher failure rate in the CI space.
“It is essential to ask, though, where do humans learn destructive behaviors that increase their likelihood of falling victim to these threats?” said Vishnubhotla, who noted that because of the nature of communication, marketing and business development areas are more prone to falling victim to malicious emails.
“It is important to note that smartphones and tablets play an important role in contributing to this. Mobile devices and mobile apps are quickly becoming the digital channel for worker productivity, customer engagement and overall business growth,” Vishnubhotla said. “The attackers know this and are also adapting their phishing campaigns to work on mobile devices. According to our Global Threat Research, 80% of phishing attacks target mobile devices or are designed to work on both mobile and desktop computers.”