Who would you expect to be the last organization taken in by a phishing attack? How about the “largest source for information security training and security certification in the world?” That’s right. The SANS Institute, around since 1989, training more than 165,000 security professionals around the world, was just breached as the result of a phishing attack.

According to an article on SC Magazine, “The security training authority has confirmed to SC Media that it was the victim of a ‘consent phishing’ scam – an attempt by adversaries to get employees to install a malicious application and/or grant it permissions that will allow it to access sensitive data or perform unwanted functions.”

What was the damage? How about “28,000 records containing personally identifiable information to a malicious Office 365 add-on, which caused an employee’s email account to automatically forward emails to an attacker’s address.”

Should this come as a shock, that a security training company got phished? Not really. As the article correctly pointed out, [all] “it takes [is] just one uninformed, distracted or negligent employee to trigger an incident.” Proving once again that the weak link in the email security chain is the employee and that awareness training that is 99% effective is like having no training at all.

Ironically enough, just prior to the breach, “Microsoft warned of consent phishing scams targeting remote workers and their cloud services, including Office 365.”

In summary, a security training organization with advanced warning about a specific type of phishing attack was still taken in by that phishing attack. If they can be taken in, what chance does an ordinary company have to protect themselves from phishing attacks? Well, as things turn out, a pretty good chance, assuming they take the necessary precautions ahead of time and deploy cloud-based email security like that available from Phish Protection.

As you can see, if you’re relying on your employees to be the last line of defense against phishing attacks, you’re in for a challenge. Phish Protection on the other hand removes employee decision making from the equation. Instead, Phish Protection scans emails in real-time for malicious content. And when it uncovers it, it quarantines the email, keeping it from reaching the inbox. And you can’t get phished by an email you never receive.

Phish Protection is cloud-based, so there’s no hardware or software to buy and no maintenance ever. It sets up in 10 minutes, works with all major email services and best of all, costs only pennies per employee per month.

Don’t be like SANS. Protect your company and employees with Phish Protection. You can try it free for 60 days.