Sponsored: State of the Phish: 3 Takeaways for Federal Agencies

Meta: We examined the simulated phishing data of our federal customers and identified three tips program administrators and decision-makers in these organizations can use to strengthen their security awareness training efforts. 

U.S. federal government agencies face ongoing scrutiny from virtually all angles, but cybersecurity has leapt to the forefront in recent years. From safeguarding elections to defending against nation-state attacks, federal organizations (and their workers) face many sophisticated and high-profile threats—in addition to day-to-day issues that impact data and system security. 

Knowing that U.S. citizens and legislators are calling on federal agencies to become more cyber secure, we wanted to know how these organizations are handling anti-phishing security awareness training initiatives and how end users in these agencies are performing. We isolated on the federal simulated phishing data from our State of the Phish Report and discovered three key takeaways agencies can use to make their security awareness training initiatives stronger. 

#1: Test Users More Frequently

Federal end users had a 10% average failure rate on phishing tests, which is comparable to the 9% average across all users in all industries (see the full State of the Phish Report for more details). However, we did notice that federal agencies don’t test users as frequently as they should. On average, agencies ran just three campaigns during the course of our measurement period (October 2017 through September 2018).   

We recommend that all organizations send a simulated phishing campaign about once a month. Cybercriminals are on the attack 24x7x365, and organizations that test users infrequently are missing the opportunity to gauge responses to different types of threats, and to assess responses to trending threats.

#2: Use More Data Entry- and Attachment-Based Templates 

In our platform, customers have the option to choose from link-based, attachment-based, and data entry-based templates, the latter of which ultimately request login credentials or other sensitive information from recipients. At 82%, our data shows that federal agencies overwhelmingly chose link-based simulated attacks during our measurement period, with data entry (14%) and attachment (4%) phishing tests used far less frequently. 

Though attackers generally favor link-based lures, it’s important that agencies have visibility into users’ propensity to follow clicks with submission of sensitive data. Proofpoint research showed that instances of credential phishing quadrupled between Q2 and Q3 2018 — a dangerous trend given that multiple services often sit behind a single set of credentials. In addition, though ransomware fell off in 2018, other malicious payloads have taken its place. From the Proofpoint Threat Insight Team: 

As we observed throughout 2018, the email landscape contained a diverse group of threats, instead of being dominated by any one malware family as occurred in 2016 and 2017. [B]ankers, downloaders, and information stealers comprised 90% of all malware payloads, but remote access Trojans (RATs) doubled relative to other malware families, appearing in 8% of all campaigns. 

Attackers are tenacious, resourceful, and agile—and that means users must be as well. Federal agencies would benefit from regularly testing workers’ responses to a variety of link, data entry, and attachment lures. 

#3: Employ Different Themes When Testing Users 

Our customers can access (and customize) several hundred simulated phishing templates within our platform, but nearly all opt for campaigns that reflect one of four overarching template themes: Corporate, Consumer, Commercial, and Cloud. (See below for more details on how we define these themes.) 

More than half (58%) of the templates used in our federal customers’ campaigns fell into the Consumer category, outpacing Corporate phishing tests (27%) more than 2-to-1. Commercial templates were used in only 11% of campaigns, with Cloud-themed tests used just 4% of the time. 

We recommend a more even distribution of themes in order to educate end users about the wide variety of lures they are likely to encounter. In particular, we recommend that federal agencies ramp up their use of Commercial-themed templates, which had a 17% average failure rate across tested users (a much higher rate than the 10% average across all federal campaigns).