Podcast Summary: Cybersecurity Today
Episode: Unveiling Cyber Security Insights: Research Report with David Shipley
Host: Jim Love
Release Date: March 15, 2025
Introduction
In this enlightening episode of Cybersecurity Today, host Jim Love engages in a deep dive with David Shipley, CEO of Boseron Security, to discuss their latest research report on cybersecurity threats and strategies for businesses. The conversation centers around the prevalence of phishing attacks, the limitations of current technological defenses, and the critical role of human behavior and awareness in mitigating cyber risks.
Notable Quote:
Jim Love [00:00]: "For every complex problem, there's an answer that's clear, simple and wrong."
Phishing Leakage Rates
David Shipley introduces a striking statistic from their report: 1 in 5 phishing emails successfully bypass email filters and land in employee inboxes, a rate they term the "fish leakage rate" (20%). This figure underscores the persistent challenge that phishing poses, even with advanced filtering technologies in place.
Notable Quote:
David Shipley [01:56]: "The average number of real phishing emails that we've seen make it past email filters and land in employee inboxes over the past year is 1 in 5 or 20%."
Technology Bias and Its Implications
A significant portion of the discussion revolves around "technology bias"—the overreliance on technological solutions to solve cybersecurity problems. Shipley emphasizes that while tools like email filters are essential, they are not foolproof. Human vigilance remains a critical component of an effective cybersecurity strategy.
Notable Quote:
David Shipley [03:41]: "We believe, and more and more of us believe that these technical tools solve all of our problems... But a buyer looking to all the sellers is not going to reward the vendor that says realistically we'll stop 90%. They will always go to the vendor that's going to say 99."
Human Behavior and Security Culture
The conversation delves into the importance of fostering a security-aware culture within organizations. Shipley highlights that security awareness programs and employee behavior are pivotal in reducing phishing success rates. The report indicates that companies with proactive training and engagement see better outcomes in phishing simulations.
Notable Quote:
David Shipley [07:35]: "Your key messaging needs to be on these particular areas."
Effectiveness of Security Training
Contrary to the conventional wisdom that more training equates to better security outcomes, the report reveals diminishing returns with excessive training. Shipley explains that training sessions lasting more than an hour can lead to weaker results, attributing this to phenomena like the Dunning-Kruger effect, where individuals may overestimate their abilities after insufficient training.
Notable Quote:
David Shipley [15:13]: "People, if you took more than one hour of training, saw weaker results."
Optimizing Training Frequency and Duration
The research advocates for short, targeted training sessions distributed regularly (e.g., every 90 days) rather than infrequent, lengthy courses. This approach not only improves retention but also minimizes the creation of "security detractors"—employees who become disengaged or resentful due to excessive training demands.
Notable Quote:
David Shipley [17:18]: "There is an optimum amount. We've also been able to see that there's an optimum frequency out every 90 days."
Key Metrics for Evaluating Security Programs
Shipley introduces several critical metrics beyond the traditional click rate to assess the effectiveness of phishing simulations:
- Report Rate: The percentage of employees who report phishing attempts, with their report rate averaging 44% in their study versus the industry average of 25%.
- Post-Click Report Rate: The likelihood that an employee who clicks on a phishing email will subsequently report it, cited as 15% compared to Verizon's 11%.
- Ignore Rate: Employees who neither click nor report phishing emails, which represents a missed opportunity for organizational learning and threat detection.
Notable Quote:
David Shipley [23:21]: "Report rate is the percentage of people who received that phishing test who then took the step of... something triggered in them and said, this doesn't feel right. They didn't click on it and they reported. That's amazing."
Industry-Specific Findings
The report uncovers varying phishing click rates across industries, with significant increases observed in hospitality, healthcare, and pharmaceuticals. Conversely, the insurance industry demonstrated a 102% increase in reporting, highlighting effective engagement strategies.
Notable Quote:
David Shipley [31:40]: "Healthcare and pharmaceuticals saw a 69% increase in click rates along with some reductions in report rates... The insurance industry... actually had a 102% increase in reporting."
Addressing Optimism Bias
Optimism bias—the tendency to believe that negative events are less likely to happen to oneself—is identified as a major vulnerability. The research shows that employees who do not perceive their organization as a target are more likely to engage in risky behaviors, such as clicking on phishing links.
Notable Quote:
David Shipley [20:50]: "Optimism bias is the natural propensity to think something bad is more likely to happen to Jim than me did."
Recommendations for Organizations
To combat the identified challenges, Shipley recommends:
- Balanced Training: Implement concise, regular training sessions to maintain engagement without causing fatigue.
- Enhanced Reporting Mechanisms: Encourage and simplify the process for employees to report suspicious emails.
- Cultural Shift: Foster an environment where security is a shared responsibility, and reporting mistakes is viewed as a proactive measure rather than a punitive action.
- Focus on Behavior Metrics: Shift from purely activity-based metrics to those that measure actual behavioral changes, such as reporting rates.
Notable Quote:
David Shipley [35:43]: "Don't just think about your people as a liability, as a risk to be managed. Do not get trapped by human risk management and think that is the peak of where this industry is at."
Conclusion
Jim Love and David Shipley wrap up the discussion by emphasizing the importance of understanding human factors in cybersecurity. Shipley advocates for ongoing research and a curious, data-driven approach to enhance security awareness programs. He invites listeners to access the full report for a comprehensive understanding and encourages feedback to further refine their insights.
Notable Quote:
Jim Love [39:29]: "But aside from that, even if you don't buy anything from check out this research worth doing."
Accessing the Research Report
Listeners interested in exploring the detailed findings are encouraged to visit Boseron Security’s website or contact them directly at info@boseronsecurity.com to obtain a copy of the annual report.
This episode serves as a crucial reminder that while technology is an essential defense mechanism in cybersecurity, the human element remains equally vital. By addressing biases, optimizing training, and fostering a proactive security culture, organizations can significantly enhance their resilience against evolving cyber threats.