A ZIUR experimental project launches simulated attacks and offers specific training to 40 companies
40 companies from the Guipuzcoan industrial fabric have participated in 'Spear Phishing', the latest experimental project on social engineering attacks carried out by ZIUR. The objective of this initiative is to raise awareness among companies and their professional teams of the importance of carrying out good cybersecurity practices in their work environments, as well as identifying the most frequent threats. Different SMEs and microSMEs in the territory have participated in this project, which has included simulations of social engineering attacks along with specific training for staff.
The results of this study indicate that the level of awareness in small and medium-sized companies regarding the financial or reputational danger posed by these attacks remains low, and that training on this subject in the workplace also obtains little participation. . The technical director of ZIUR, Maria Penilla, insists that "cybersecurity awareness should not be a one-off activity, but rather should be part of an ongoing training plan in all companies, regardless of their size and sector of activity." .
Email continues to be one of the main attack vectors used by cybercriminals. The objective of the 'Spear Phishing' project has been to know the situation of Guipuzcoan industrial companies with respect to the cyber attacks they suffer on their networks. The key to the project has been knowing how users react when they receive a 'phishing' email and, above all, whether they are sensitized to differentiate a legitimate one from a fake one.
The project was divided into three attack campaigns, each lasting four months, in which different simulations of 'phishing' emails were carried out aimed at users of the 40 companies. The result is much more worrying than any CIO would like, since the success rate that cyber attackers obtain - when a user clicks on the link in the email or opens the attachment - is very high, between 72% and 93%. %. On the other hand, BEC-type attacks were also carried out, directed, on the one hand, at the companies' management teams, and, on the other, at the rest of the staff, impersonating the first victim. The success rate in the first case drops significantly (between 6% and 14%), although in the second formula it remains at high percentages of between 85% and 93%.
Once the security breach has been detected, the project includes a second phase in which specific training has been offered to combat the situation. However, the participation of users in the training sessions has been very limited in most cases. Between 11% and 42% of companies did not apply any training and only in 4 out of 10 cases did 40% of the workforce complete any training. A situation that represents a risk for industries and an opportunity for cybercriminals.