Even before the coronavirus pandemic, phishing was implicated in up to 67% of all corporate data breaches, according to Verizon’s 2020 Data Breach Investigations Report (VDBIR). In the first half of 2020, employees empowered to report suspect emails in hopes of foiling new breaches ended up shellacking already overburdened Security Operations Center (SOC) teams with more incidents than they could possibly handle. But organizations employing automated response technologies were able to neutralize unreported threats while accelerating time-to-containment.
Inside the ACID H2 2020 Phishing Incident Response Survey
For this mid-year report, ACID researchers interviewed SOC professionals at 13 large organizations with operations spanning a cross-section of industries— including high-tech, healthcare, agriculture, construction, retail, and energy. The objective is to gain insights on reported incident volumes, false positive rates, and the impact of automation on the investigation and remediation of email threats from January through June, 2020. This section of the H2 2020 Email Fraud and Identity Deception Trends Report features our analysis of these conversations.
The False Positive Rate on Employee-Reported Phishing Incidents
According to a recent study from KnowBe4, one-third of all employees will click on a malicious link or obey a fraudulent email request in phishing simulations. Apparently, these recipients must be sending all of their legitimate email to the SOC team. Joking aside, employee-reported phishing incidents topped 4,521 during the first half of the year, according to 13 large organizations participating in our H2 2020 Phishing Incident Response Survey. Unfortunately, the number of false positives climbed 7% during that same period, to 67% of all reported incidents. Which means SOC analysts are forced to waste valuable time while investigation, remediation, and containment of legitimate breaches grow longer—and more costly
Every minute spent investigating false negatives means actual phishing emails are left undetected, increasing the likelihood of a data breach with each passing moment. Yet today, 25% of all breaches go undetected for a month or more, according to the 2020 Verizon Data Breach Investigations Report. And Ponemon Institute estimates the costs associated with each new breach average $8.9 million. According to the companies included in our mid-year survey, automation is critical to preventing these kinds of incursions from ever happening, and reducing time-to-containment from weeks or months down to mere minutes for those that do. This is in part because on average, automated processes enable them to uncover a far larger number of attacks than those reported by employees.
The Number of Additional Malicious Emails Detected Through Automated Response
The companies in our survey indicate automated phishing response detects 90X more email threats than manual reporting alone. Out of 4,285 verified phishing emails reported during the first half of 2020, organizations with automated phishing response processes identified 643,692 additional email threats that were either similar or directly related to those reported by employees. That’s a 100% increase over our last report. Organizations cite automating analysis and triage tasks as key to realizing direct savings and increased efficiency and avoiding breach costs.
Malicious Phish Reports
All Similar Messages Found
Similar Messages Confirmed Malicious
Additional Email Threats Neutralized Through CDR
Across 145 unique events, organizations employing continuous detection and response (CDR) technologies enhanced with shared threat intelligence identified more than fifty-five hundred malicious messages beyond those detected through automated phishing response alone, according to survey participants. CDR technologies identify latent threats that have evaded detection through dormant payloads, new impersonation techniques, or “time-bombed” URLs that redirect post-delivery. By analyzing company-wide email metadata, these technologies forensically recognize and remove email threats from all inboxes automatically.
Average Remediation Time on Reported Phishing Attack Using Automation
Participants report that malicious phish reported by end users are remediated within 36 minutes with the aid of automation—specifically automated prioritization of incidents based on potential impact to the organization, and identification of all affected employees. This kind of speed is critical. According to research from Aberdeen, there’s a 30% chance of a first-user click on malicious emails within 60 seconds of delivery, with a median time-to-first-click on malicious emails of just 134 seconds.