Terranova Security Gone Phishing Tournament reveals continued weak spot in cybersecurity

The Terranova Security annual Gone Phishing Tournament™ wrapped up in October 2020, spanning 98 countries and industries including healthcare, consumer goods, transport, energy, IT, finance, education, manufacturing, and more. Using templates created from actual phishing attacks created by Microsoft Security, Terranova Security Awareness Training draws on principles of behavioral science to create content that changes user behavior. True to our mission, this year’s results reveal a lot about the state of cybersecurity at the human level—your organization’s first line of defense.

Tournament results

Terranova Security’s Gone Phishing Tournament is a free, annual cybersecurity event that takes place in October to coincide with National Cybersecurity Awareness Month. The Tournament tests real-world responses using a phishing email modeled on actual threats provided by Attack Simulation Training in Microsoft Defender for Office 365 (Office 365 Advanced Threat Protection). Click rates are segmented by industry, organization size, region, web browser, and operating system.

Using a template created from real phishing attacks, translated into 11 languages across 98 countries, the 2020 Gone Phishing Tournament revealed that organizations are taking phishing threats seriously, but with mixed results.

“There’s increasing crossover between our personal and work activities online. That’s why cybersecurity education and training needs to be an ongoing commitment.”—Vasu Jakkal, CVP, Security, Compliance and Identity Marketing, Microsoft

Password submission by industry

Figure 1: Password submission by industry

The average password submission rate across industries was 13.4 percent, with education employees taking the bait least often at just 7.9 percent. The highest password submission rate was among public sector employees at 20.7 percent.

Click and password submission rates by the size of the organization

Figure 2: Click and password submission rates by the size of the organization

The tournament results also showed there was not a great deal of variation when comparing organizations of varied sizes. For example, there was only a 9.2 percent difference in the number of people who clicked the phishing link and submitted passwords at organizations of fewer than 100 people, compared with those consisting of more than 3,000 employees. The results show that phishing attacks are not just a threat for smaller organizations with less sophisticated cybersecurity training—large organizations were even more vulnerable.

Ongoing attacks

In the new world of remote work, your people are your perimeter. Phishing provides hackers with a low-cost, low-risk form of social engineering with a potentially big payoff in the form of stolen passwords, leaked credentials, and access to sensitive data and intellectual property. Throughout 2020, opportunistic cybercriminals have been preying on distracted, overstressed remote workers by introducing COVID-19-themed phishing lures. The World Health Organization (WHO) has referred to the ongoing COVID-19 themed phishing attacks as an “infodemic.” By the summer of 2020, the Federal Trade Commission (FTC) had already recorded over 59,000 coronavirus or stimulus-related complaints resulting in over $74 million in losses.

The National Cyber Security Alliance (NCSA) is pushing back against the rise in cybercrime by building strong public and private partnerships that empower users to stay secure online.

“The Phishing Benchmark Global Report reinforces the need for the current work being done by organizations like Microsoft, Terranova Security, and the National Cyber Security Alliance. Real-world phishing simulations and engaging security awareness training help make organizations, employees, and everyday citizens aware of the growing risk of social engineering and phishing emails. We will continue working in partnership with industry and government to empower the global community towards becoming one that is more cyber aware.”—Kelvin Coleman, Executive Director of NCSA

Not all security awareness training is alike

To defend against increasingly sophisticated cyber threats, organizations need real-world training as a comprehensive internal campaign. Terranova Security Awareness Training includes gamification and interactive sessions designed to engage and can be localized to different geographies around the world.

Attack Simulation Training in Microsoft Defender for Office 365, delivered in partnership with Terranova Security, integrates simulations, training, and reporting. Terranova Security is excited to partner with Microsoft to deliver this differentiated, industry-leading solution, allowing our customers to detect, prioritize, and remediate phishing risk across their organizations. With Attack simulation training, customers can:

  • Simulate real threats: Detect vulnerabilities with real lures and templates—automatically or manually send employees the phishing emails attackers have used against your organization. Then, reach out to users who fall for a phishing lure with personalized training content.
  • Remediate intelligently: Quantify social engineering risks across employees and threat vectors to prioritize remedial training. Track your organization’s progress against a baseline and measure the behavioral impacts. Using user susceptibility metrics triggers automated repeat offender simulations and training for people who need extra attention.
  • Improve security posture: Reinforce your human security system with targeted training designed to change employee behavior. Training can be customized and localized, including simulations tailored to your employee’s contexts—region, industry, function—with granular conditionality on harvesting. Cater to diverse learning styles with interactive nano-learning and micro-learning content.

If there is a common thread to be found in this year’s Gone Phishing Tournament results, it is that organizations of every size need to make integrated attack simulation and training a cornerstone of their cybersecurity program. Cybercriminals do not take days off, and neither should your simulation and training program.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.