FREE TOOL: Your users are “Phish-Prone”

FREE TOOL: Your users are “Phish-Prone”

91% of successful data breaches started with a spear-phishing attack? Attackers go for the low-hanging fruit: humans.

Cybriant’s partner, KnowBe4,  just completed a big-data analytics exercise over their 15,000 customers and came up with new baseline phish-prone percentages, and how fast it drops over time. To say the least, the numbers are very interesting, and this time they also broke them out by industry and size, showing the most at-risk industries. View on-demand webinar here. 

First of all, you need to know your organization’s phish-prone percentage. We offer a phishing security test through KnowBe4.  This free tool will test up to 100 users and will give you a PDF with your phish-prone percentage and charts to share with management.

Why? If you don’t do it yourself, the bad guys will. 

Here’s how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you within 24 hours with your Phish-prone % and charts to share with management

IT pros have realized that simulated phishing tests are urgently needed as an additional security layer. Today, phishing your own users is just as important as having antivirus and a firewall. It is a fun and an effective cybersecurity best practice to patch your last line of defense: USERS

How does your “Phish-prone” percentage compare to others in your industry? Watch the on-demand webinar to find out: https://www.cybriant.com/2018/01/on-demand-webinar-phishing-attack-landscape-and-benchmarking/

The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

Start phishing your users now. Get started immediately!


Find Out Your Phish Prone Percentage

The “Human Factor” Important in Cyber Risk Prevention

The “Human Factor” Important in Cyber Risk Prevention

As I read over the Kroll Global Fraud & Risk Report for 2017, the most common issue discussed is the threat that comes from within your organization. Current and ex-employees were the most frequently cited perpetrators of fraud, cyber, and security incidents over the past 12 months. Notwithstanding this finding, external parties were identified as active perpetrators as well.

In the survey, taken by 545 senior executives worldwide across multiple industries and geographies, 85% said that their company experienced a cyber attack or information theft, loss, or attack in the last 12 months.

How these attack happened

The survey also reveals that most cyber incidents involve more than one attack vector. Multiple, interwoven attack
vectors were identified – directly on company software, systems, and websites; via third parties through malfeasance,
attacks on their own systems, or in error; through employee error or malfeasance; and from device theft.

The highest reported attack vector was via software vulnerability, experienced by over a quarter of respondents (26%).
Employee error or accident played a role according to 22% of respondents. And attacks on the corporate website were
noted by 22% of respondents as well.


The Perps

The findings reveal that threats most commonly come from within. Current and ex-employees were the most frequently
cited perpetrators of fraud, cyber, and security incidents over the past 12 months. Notwithstanding this finding, external
parties were identified as active perpetrators as well.


Nearly 8 out of 10 respondents (79%) cited one of the following categories as the key perpetrator:
-Senior or middle management employees of our own company
-Junior employees of our own company
-Freelance/temporary employees


Overall, 44% of respondents reported that insiders were the key perpetrators of a cyber incident, citing ex-employees
(20%), freelance/temporary employees (14%), and permanent employees (10%). If we also consider agents/
intermediaries as quasi-employees, noted by 13% of respondents, then the percent indicating that insiders were the
key perpetrators rise to a majority, 57%. Nearly one in three (29%) identified external players as the key perpetrators.

In total, 56% of executives surveyed said insiders were the key perpetrators of security incidents, citing ex-employees
(23%), permanent employees (17%), and temporary/freelance employees (16%).

Building Cyber Resilience

The good news: 72% have introduced employee cybersecurity training and an equal percentage have employee restrictions on installing software on company devices. Detection methods rank high on the list, with intrusion detection systems, threat intelligence systems, and network operations centers next in magnitude of adoption.

The road to resiliency requires resources, analytics, creativity, understanding of human behavior, and sheer
vigilance to continuously enhance each firm’s ability to prevent, prepare, respond, investigate, and remediate fraud and

What's next for your organization? Cybriant is here to help.

On-Demand Webinar: Phishing Attack Landscape and Benchmarking

On-Demand Webinar: Phishing Attack Landscape and Benchmarking

New Study: Is Your Phish-Prone Percentage Better or Worse Than Your Peers in the Industry?

One of your important IT security projects is getting the Phish-prone percentage of your users as low as possible because phishing is the root cause of many security breaches.

>Find out your Phish-Prone Percentage Here<<

But how are you doing compared to “similar-size peers” in your industry?

Our partner, KnowBe4,  just completed a big-data analytics exercise over the 15,000 customers we have and came up with new baseline phish-prone percentages, and how fast it drops over time. To say the least, the numbers are very interesting, and this time we also broke them out by industry and size, showing the most at-risk industries.

Now having incredible data to analyze, the new research uncovered some surprising results. The overall industry initial Phish-prone percentage benchmark turned out to be a troubling 27%, but with variations by size and industry.

Fortunately, the data showed that this 27% can be brought down more than half to just 13% in only 90 days by deploying new-school security awareness training. The 365-day results show that by following these best practices, the final Phish-prone percentage can be minimized to 2.17% on average.

Key topics covered in the research:

  • New phishing benchmark data by org size and industry
  • Understanding the current phishing landscape
  • Most clicked simulated phishing attacks
  • Top 10 “In the Wild” reported phishing emails

Watch the on-demand webinar to see how you stack up!

Your Users are Phish-Prone! Find out how many.

Watch the Webinar

5 Reasons to Consider Security Awareness Training

5 Reasons to Consider Security Awareness Training

Schadenfreude (/ˈʃɑːdənfrɔɪdə/German: [ˈʃaːdn̩ˌfʁɔʏ̯də] (About this sound listen)lit. ‘harm-joy’) is the experience of pleasure, joy, or self-satisfaction that comes from learning of or witnessing the troubles, failures, or humiliation of another. (source: Wikipedia)

The press can’t get enough of corporate data breaches. They delight in showcasing the latest horror story about a business that lost massive amounts of private records or millions in revenue to the latest hack. I would call that schadenfreude, but wait …you could be next.

Despite all the funds you may have spent on state-of-the-art security software, the bad guys are just one gullible user click away from staging an all-out invasion. To make matters worse, that user might well be you! Recent surveys show that executives can be some of the biggest culprits when it comes to clicking on phishing links and opening malicious email attachments.

Yet by far, the most effective strategy in combatting these attacks is also one of the most poorly implemented – security awareness training. The long list of “worst practices” for user education is almost endless – break room briefings while people eat lunch and catch up on email; short instructional videos that provide no more than superficial understanding; and the time-honored practice of hoping for the best and doing nothing.

It’s better to start a new-school security training method sooner rather than later. Thousands of your peers will tell you this was the best and most fun IT security budget they ever spent… hands-down.

Here are the Top 5 reasons to consider Security Awareness Training: 

  1. Social Engineering is the No. 1 go-to strategy for the bad guys. Unfortunately, their time is money too. Why spend 2 months of research uncovering a 0-day when you (literally) can create an effective spear-phishing attack in 2 hours? They are going after the human—the weakest link in IT security—and your last line of defense.
  2. Ransomware is only going to get worse in 2018. Email is still their favorite attack vector, and its sophistication is increasing by the month. The downtime caused by ransomware can be massive.
  3. Compliance requirements for awareness training are being sharpened up. Thinking that today you can get away with a yearly one-time, old-school awareness training session is whistling past the graveyard. A good example is May 25, 2018, when enforcement actions for GDPR begin. We have compliance training for GDPR ready in 24 languages.
  4. Legally you are required to act “reasonably” and take “necessary” measures to cope with a threat. If you don’t, you violate either compliance laws, regulations, or recent case law. Your organization must take into account today’s social engineering risks and “scale security measures to reflect the threat”. Don’t trust me, confirm with your lawyer, and next insist on getting the budget. Today, data breaches cause practically instant class action lawsuits. And don’t even talk about all employees filing a class action against your own company because your W-2 forms were exfiltrated with CEO fraud.
  5. Board members’ No. 1 focus today is cyber security. Some very pointed questions will be asked if they read in the Wall Street Journal that your customer database was hacked and the breached data is being sold on the dark web. Once it becomes clear that your organization did not deploy a simple, effective strategy that could have prevented this, a few (highly placed) heads will roll. Target’s CEO and CISO are just an example. Help your CEO to keep their job

Hold the schadenfreude and learn from the mistakes of others! Find out more about our Security Awareness Training here: https://www.cybriant.com/cybersecurity-awareness-training/

Related: How to Prevent Zero-Day Attacks in 5 Steps

Free Security Training Tools

THIS was the most common password in 2017?

THIS was the most common password in 2017?

Sadly, the password 123456 has emerged as the most common password for the second year in a row. SplashData, a company that provides various password management utilities, compiles an annual list of common passwords by analyzing over five million user records leaked online in 2017.

See top 100 most common passwords here. 

If you use any of the passwords listed, you could be at risk for identity theft. How? Because attackers use these same leaked records to build similar lists of leaked passwords, which they then assemble as “dictionaries” for carrying out account brute-force attacks.

Attackers will use the leaked terms, but they’ll also create common variations on these words using simple algorithms. This means that by adding “1” or any other character combinations at the start or end of basic terms, users aren’t improving the security of their password.”

Of five million leaked credentials, here are the top 25 most common passwords: 

1 – 123456 (rank unchanged since 2016 list)
2 – password (unchanged)
3 – 12345678 (up 1)
4 – qwerty (Up 2)
5 – 12345 (Down 2)
6 – 123456789 (New)
7 – letmein (New)
8 – 1234567 (Unchanged)
9 – football (Down 4)
10 – iloveyou (New)
11 – admin (Up 4)
12 – welcome (Unchanged)
13 – monkey (New)
14 – login (Down 3)
15 – abc123 (Down 1)
16 – starwars (New)
17 – 123123 (New)
18 – dragon (Up 1)
19 – passw0rd (Down 1)
20 – master (Up 1)
21 – hello (New)
22 – freedom (New)
23 – whatever (New)
24 – qazwsx (New)
25 – trustno1 (New)

Our partner, KnowBe4, has created a complex password guide to help your users make a strong password that very hard to crack. Here’s how to start: Think of a phrase or sentence with at least eight words. It should be something easy for you to remember but hard for someone who knows you to guess. It could be a line from a favorite poem, story, movie, song lyric, or quotation you like.

<< Click to view the complete Complex Password Guide >>

Tips For Password Security

  • Keep your passwords private – never share a password with anyone else.
  • Do not write down your passwords.
  • Use passwords of at least eight (8) characters or more (longer is better).
  • Use a combination of uppercase letters, lower case letters, numbers, and special characters (for example: !, @, &, %, +) in all passwords.
  • Avoid using people’s or pet’s names, or words found in the dictionary; it’s also best to avoid using key dates (birthdays, anniversaries, etc.).
  • Substituting look-alike characters for letters or numbers is no longer sufficient (for example, Password” and “P@ssw0rd”).
  • A strong password should look like a series of random characters.

Weak Password Tool

How weak are your user’s passwords? Find out more about our complimentary Weak Password Tool, available from KnowBe4.