How many times have you been stuck in a stuffy, packed classroom environment, listening to a boring IT intern explain why you shouldn’t write your password down and stick it to your monitor?
If I had to guess, I’d say roughly once per year since the start of your career.
How much do you think the average employee really learns fromof training? Not much, clearly.
But I have a theory. If, collectively, we all stopped worrying about security “awareness” and focused instead on security behaviors, our security training would be a lot better for it.
Why Compliance is a Terrible Driver for Security Training
In most industries, compliance is a huge deal. Almost every organization has compliance requirements to meet, and failure isn’t an option.
But here’s the thing. While compliance frameworks are developed with the best of intentions, their requirements in the area of security training are.
As a rule, so long as you train new employees promptly, and ensure new training is issued each time a major policy change occurs, you’re in the clear. Typically, the actual content of your training is barely assessed at all.
Does that sound like a recipe for high-quality security training? I don’t think so.
But there’s another side to the story. If it weren’t for compliance requirements, I doubt most organizations would bother with security training at all.
Think about it. Common wisdom tells us that users are a straight-up security liability, and must be protected at all costs. Instead of focusing on user security training, most organizations would much rather dump tens or even hundreds of thousands of dollars into the latest security products, taking it on faith that this is the only route to improved cyber security.
But at the same time, almost all data breaches are either caused or exacerbated by human error. Heck,of all breaches contain a phishing or social engineering component. By definition, that means threat actors are specifically targeting and exploiting the weaknesses of the average user.
On that basis, does it seem like the current popular approach to cybersecurity is working? I would suggest not.
Here’s why: No matter how good your advanced spam filters, attachment scanning technologies, and email authentication protocols, there is simplyemails. No technologies (or combination of technologies) exist that are 100% effective in the fight against phishing.
And what about telephone-based social engineering campaigns? Or phishing lures sent by SMS? In reality, there are simply too many ways for threat actors to exploit your users that cannot be prevented by technological means.
If you’re serious about combatting phishing, a different approach is necessary.
What You Can Learn from Bird Spotters
How, then, can you train your users to identify phishing emails, instead of falling for them? You use exactly the same process they would use to learn any other skill: practice.
If you wanted to learn to distinguish between different types of birds, you’d buy a book, look at the pictures, and then go out and try to spot different birds.
If you want to learn to spot phishing emails, then, you can follow the exact same process. Do a little bit of training, and then try your hand at distinguishing between legitimate and malicious emails.
So how does this translate into a formal security training program?
All you have to do is construct your own simulated phishing campaigns, send them to your employees, and track their responses over time.
Yes, it really is that simple.
Now of course, you’ll need to provide some initial training. Your users will need to understand why the program exists, what’s expected of them, and be given a basic understanding of what typical phishing emails might look like.
But once that’s out of the way, it’s time to get down to business.
The Hallmarks of a Powerful Phishing Defense Program
Now course, while the concept of phishing defense training is simple, there are some finer points to consider. Here are a few things to think about when developing your program:
Consistency is everything. This type of program is a marathon, not a sprint. You’ll start to see improvements immediately, yes, but these improvements will quickly disappear without consistent reinforcement. In my experience, strike the best balance between maintaining momentum and avoiding overwhelm.
Success must be easy. When a user receives a phishing email (simulation or otherwise), you don’t simply want them to ignore or delete it. What you really want is for them to report it to your security experts. To that end, I suggest adding a simple report phish pattern directly to their email client, making the process as easy as possible, and therefore maximizing the chances of it actually happening.
Point-of-failure training. Naturally, your users are going to “fail” a lot, especially at the beginning. As this happens, you have an opportunity to provide relevant training precisely when it is needed. In an ideal world, any user who fails a simulation should immediately be directed to a multimedia training page that covers the specific type of phishing email they just received. A week or so later, it’s best to retest those same users to solidify the learning process.
Get buy-in from above. Perhaps the most important factor when implementing a program like the one I have described here is your ability to convince senior managers of the importance of phishing defense. Developing a, consistently , and providing regular and detailed performance reporting are essential to the continued success of your program.
The Only Way to Win
As you’ve no doubt already realized, this type of security training program is an ongoing process. There will always be new employees in need of basic training, and existing employees will always need to be prepared for the.
But no matter how good your program is, or how watchful your users become, mistakes will always be made. Perhaps instead of falling for phishing emails 30% of the time, your users will only fall for them 2% of the time.
That’s a huge win, for sure, but it still leaves your organization with some residual risk. Just like technical controls, powerful security awareness training, while highly effective, is not enough on its own to defend your organization from phishing attacks.
So, if you’re truly serious about fighting back against phishing, as well as other prominent threat vectors, you should always use powerful security training in combination with sensible technological controls, and a skilled incident response resource.
For a deeper dive into how the Best-in-Class invest in security awareness training for their employees to reduce the annualized risk of phishing attacks, check out this comprehensive research report by Aberdeen’s Derek Brink.
Dane Boyd is the Lead Solution Manager for PhishLabs’ Managed Phishing Awareness Training. He has helped dozens of enterprises transform their employees into a powerful layer of threat prevention and detection.