[Alupis]

> the attackers were able to enter the network through spearphishing emails - something that essentially no investment in security is going to prevent

I'd challenge that assertion. Employee's are often the first line of defense for any company, be it seeing something suspicious or knowing when to alert the right people. Investing in phising attack training can be very worth-while. Or at least adopt a strict company policy that helps ward off the basic forms of this attack.

It's not uncommon to have a company-wide policy that users are not allowed to open attachments in any email from anyone without IT's approval. It's inconvenient, sure, but it protects against multiple email-based attacks (everything from simple viruses to more advanced phishing attacks).

There's even phishing attack training specifically targeted at large enterprise (they send phishing attack emails to your targeted employees and when they fall for it, they get a quick lesson and explanation). [1]

[1] http://threatsim.com/how-it-works/

[xnull2guest]

I have never seen corporate policy with regard to attachments and link following effectively thwart a spearphishing campaign and have been privy to studies done at large corporations before and after phishing-awareness training. The short of these studies is that after approximately a week employees mostly reverted to regular habits and that during the week of high alert many employees fell to the internal audit anyway.

Then again, this is only from two studies done at one large corporation.

I looked around but could not find any studies or data about the long term effectiveness of phishing awareness campaigns (only PR junk), nor could I find evidence that SONY did not engage employees with these sorts of policies and training. Do you know of any such studies?

Do you believe that #GOP would not have gotten in if there were more strict policies and more frequent training?