Sometimes information security involves taking two steps forward and one step back. Case in point, the recent evolution of many vendors from traditional Security Awareness Training to training with integrated anti-phishing services.
With phishing being the source of a large number of ransomware and other malware attacks, investing in a good Security Awareness program is often a very positive investment. Even better, the risk associated with engaging a Security Awareness Training vendor has generally been very low; typically, the only data a vendor would need to have on their servers are usernames and email addresses.
So with this approach, you could mitigate a significant risk at low cost, while essentially adding zero risk. Win-Win-Win.
Now, this is changing – at an increasingly fast pace – because Security Awareness vendors are integrating anti-phishing into their training systems. This makes a lot of sense, as we can test to make sure the anti-phishing training is effective and retrain as necessary. Seems like another Win-Win.
The danger with this new approach is the third-party risk is now much, much higher. Here’s why…
In order to enable simulated phishing attacks, anti-phishing vendors need to have your users’ email addresses. This means you often have to whitelist their systems (or IPs) on devices that provide filtering protection against phishing (e.g., spam filters, AV scanners, content filters, etc.).
If the anti-phishing vendor is compromised by a malicious attacker, the attacker could send your company malicious emails that completely bypass the removed security controls. That’s not how you want to test the effectiveness of the anti-phishing training.
Be sure to update the vendor risk classification of your Security Awareness Training vendor if you add integrated anti-phishing to the service.