What the consolidation of phishing awareness training means for CIOs
Last November I was asked for my 2018 cybersecurity predictions, and I was most confident about one. That projection: the phishing awareness training market was primed for consolidation.
Fast-forward just a few months and my inner genie certainly appears to be out of the bottle. By January 3, Barracuda Networks had announced its acquisition of Phishline, a social engineering training platform, for an undisclosed amount. Shortly thereafter, Proofpoint revealed its purchase of Wombat Security, a provider of information security awareness and training, for $225 million. Next up was PhishMe, a phishing simulation platform, which disclosed its acquisition by a private equity “syndicate” for $400 million, simultaneously beginning a major rebranding initiative. Not to be left out was security awareness training provider KnowBe4, which got into the M&A action by acquiring South Africa’s Popcorn Training.
Is business email compromise driving phishing awareness training consolidation?
As the overall security awareness training market is poised for accelerated growth, large security companies that provide email security products and solutions, such as Proofpoint and Barracuda Networks, undoubtedly see their recent acquisitions as an opportunity to gain market share and mindshare. The inclusion of phishing awareness training modules and content into their suite of services allows them to enhance their current customer experience, differentiate from competitors and eliminate excess vendor sourcing from prospective clients.
But that doesn’t explain why so many of the most prominent phishing awareness training vendors simultaneously concluded that now is the time to exit. Rik Turner, a principal analyst at Ovum, offers this explanation as a potential reason why:
"Phishing awareness is of course an essential part of a company’s security posture, but awareness is not, in itself, enough. Employees need to go beyond awareness to proactive defense, reporting suspected phishing emails and being watchful for future exploits. Furthermore, training should cover multiple other threat vectors. These shortcomings of pure phishing awareness platforms are what is driving M&A activity, as companies seek to aggregate customer bases and broaden their offerings to phishing defense and beyond."
In addition to the “shortcomings” identified by Rik, the frequency and sophistication of modern email phishing attacks have also played a role in diminishing the effectiveness of phishing awareness training technology, potentially accelerating exit strategies as a means to limit financial and reputational risk.
Today, signature-less, file-less and link-less business email compromise (BEC) attacks can effectively defeat gateway email security and land malicious messages at the top of inboxes. In fact, according to the Symantec 2017 Internet Security Threat Report, more than 400 businesses are targeted BEC scams every day.
BEC is successful because it relies on socially engineered messages that appear to originate from a legitimate partner, senior executive, trusted associate or client. Common BEC schemes involve bogus invoices from trusted suppliers, requests from HR for personal information on employees, solicitations to fill out tax forms and appeals to complete for time-sensitive wire transfers.
Due to both the frequency and the attackers’ meticulous attention to detail, spoofed and impersonated messages that do bypass email security tools are often not recognized as malicious by human recipients; even those who have undergone extensive, costly and time-consuming phishing awareness training.
Phishing awareness training devolves into small piece of email security puzzle
BEC’s inherent capacity to trick even the most phishing aware employees, combined with the inability of phishing awareness training tools to conduct automatic mitigation and remediation have undoubtedly expedited industry consolidation. And since on average, an employee interacts with a phishing email and detonates its contents within 80 seconds of the message hitting an organization’s mailboxes, CISOs are under increasing pressure to adopt technologies that offer greater ROI in real-time.
But is the phishing awareness industry going the way of the dinosaur? Gartner vice president Peter Firstbrook still sees benefits to phishing awareness training, but believes that such tools must be integrated within a more comprehensive email security strategy for them to survive:
“Integrating phishing training into phishing filters is an excellent way to make sure the training is relevant and real time as possible. Ultimately phishing is a trust issue, and future solution providers will need to give email recipients more information so they can make better informed decision. Smart solutions will start incorporating user decisions to train machine learning. Mergers will have to demonstrate execution in completing this feedback loop.”
There is no denying the reality that the subsector of security awareness training that is phishing awareness is in fact going the way of the dinosaur. Despite the prevalence of point solutions and existing partnerships with the enterprise, consolidation is poised to continue in large part due to the proliferation of BEC-type attacks. Such a social engineering phenomenon has simply made phishing too frequent and complex for humans to own the majority of the burden alone. As CIOs continue to work closely with CISOs on hardening their digital defenses, its essential that they now recognize phishing awareness training as just a very small piece of the large email security puzzle.
- » Don't compromise security when exploring blockchain initiatives, organisations warned
- » Capgemini notes how and why companies still struggle with their digital transformation initiatives
- » Phishing awareness training not translating to fewer clicks, research argues
- » Get communication right between the CISO and the board to improve enterprise security
- » New research sounds warning over balancing employee productivity and security