Phishing attacks are one of the most prevalent methods used by cybercriminals to steal personal information and money from unsuspecting victims. In 2020, the FBI’s Internet Crime Complaint Center (IC3) received more than 241,000 complaints of suspected internet crime, where businesses and individuals reported losses of more than $4.2 billion. Traditional security awareness training has not been effective in stopping these attacks, and with the increase in COVID-19 related remote work, the risk of phishing attacks has only increased.
To combat this growing threat, a bipartisan group of lawmakers introduced an anti-phishing bill in Congress in March 2021. The proposed bill seeks to bolster cybersecurity efforts by addressing the root cause of most cybercrimes, which is human error. The bill aims to establish a grant program to provide funding for cybersecurity awareness training for small and medium-sized businesses (SMBs) and non-profit organizations.
The Anti-Phishing Training Act proposed by Representative Jim Langevin (D-RI) and co-sponsored by Representatives Joe Wilson (R-SC) and Bill Keating (D-MA) would provide the necessary funds to SMBs and non-profit organizations to better educate their employees on identifying and protecting against phishing attacks. The grant program would be administered by the National Institute of Standards and Technology (NIST), an agency within the Department of Commerce, which would establish the criteria for grant recipients and oversee the program's overall implementation.
The proposed legislation aims to address the most significant cybersecurity challenge facing businesses today: the human factor. Businesses can spend millions of dollars on security technology, but if employees are not adequately trained to recognize and avoid phishing attacks, then those investments will not deliver the desired results.
Phishing attacks often use social engineering techniques to trick victims into divulging sensitive information, such as login credentials or credit card numbers. These attacks can be challenging to detect, as they often appear to come from legitimate sources, such as banks, government agencies, or even colleagues within the same organization. By providing training on identifying phishing attacks, employees can better understand the signs of a phishing attempt and avoid falling for the scam.
The proposed legislation also seeks to address the disproportionate impact of cyberattacks on SMBs and non-profit organizations. According to a report by the National Cyber Security Alliance, 43% of cyberattacks target SMBs, and of those businesses that fall victim to cybercrime, 60% go out of business within six months.
SMBs often lack the resources and expertise to implement robust cybersecurity measures. Cybercriminals frequently target SMBs because they know that these organizations are more likely to have weaker security controls than larger enterprises. Providing SMBs and non-profit organizations with the necessary training to identify and avoid phishing attacks is a critical step in addressing this gap.
The proposed legislation is not the only effort aimed at addressing the human factor in cybersecurity. The Cybersecurity and Infrastructure Security Agency (CISA) has launched the "Reduce the Risk of Phishing" campaign to provide individuals and organizations with resources and tools to better identify phishing attacks. The campaign includes posters, videos, and tip sheets that emphasize the importance of being vigilant and provides examples of common phishing schemes.
Implementing cybersecurity awareness training is not a new concept. Many organizations have already implemented similar programs to educate their employees on how to identify and avoid phishing attacks. However, the proposed legislation empowers SMBs and non-profit organizations to access critical funding necessary to support these initiatives.
The grant program's funding is a key factor in making cybersecurity awareness training accessible to SMBs and non-profit organizations, as they often lack the necessary budget to invest in this type of training. The training will strengthen their cybersecurity posture and help protect them against cybercrime, which could ultimately save these businesses and non-profit organizations from financial ruin.
In conclusion, the proposed Anti-Phishing Training Act is an essential step towards addressing the root cause of most cybercrimes. The bill's proposed grant program will provide funding for SMBs and non-profit organizations to access the necessary resources to better protect themselves from phishing attacks. By educating employees on how to identify and avoid phishing attacks, these organizations will become more resilient to cyberattacks and help improve their overall security posture. The bipartisan support for this legislation is promising, and we hope to see it signed into law soon.