Over the past few years, security budgets across all industries have skyrocketed.
No surprise, really. The vast majority of organizations have experienced some level of cyber attack, and even those that haven’t would find it difficult to ignore the constant media coverage of high-profile data breaches.
And with all this extra security investment, you’d think there would be a corresponding reduction in annual breaches.
But you know what? That hasn’t happened. In fact, the number of breaches reported has continued to rise at an unprecedented rate.
Why Prevailing Wisdom is Wrong
The prevailing wisdom in the security industry is that defending your organization against cyber attacks is predominantly an issue of having the right technology. After all, cyber attacks are predominantly a technological threat, so why not invest in technological defenses?
If you’ve ever attended a security event, you’ll have been confronted with literally thousands of products designed to protect against all manner of incoming cyber attacks. If you approach a few booths, you’ll hear all about the latest attack vectors, and how XYZ product could mitigate the threats they pose.
But there’s a problem with this model.
If you take a step back and analyze the reported breaches from the last ten years, you’ll soon realize that cyber attacks aren’t purely a digital threat. In fact, over 90 percent of breaches involve a phishing (or another social engineering) technique at some stage during the attack.
You know why? Because tricking people is almost always easier than tricking machines.
All an attacker needs is for one human to click on a malicious link, inadvertently give up their login credentials, or open the wrong attachment, and the hard part is done.
Now, of course, there are plenty of tech-based controls designed to fight malicious emails. You can (and should) use spam filters, content scanners, and email authentication protocols to prevent the vast majority of phishing lures from ever reaching your users’ inboxes.
But no matter how good your controls are, they will never be perfect. Threat actors simply have too many techniques available to them to circumvent your security controls.
To move forward, you must accept a simple truth: Tech isn’t enough.
Rethinking Security Awareness Training
What comes to mind when you think about security awareness training? For most people it’s being stuck in some dull, stuffy room, listening to a bored IT intern talk about security awareness.
Does anybody really believe these sessions achieve anything? Of course not. But unfortunately, for most organizations, they’re necessary for compliance purposes.
But the real problem with these sessions isn’t just the standard of training, it’s the entire concept of “awareness” training. In the real world, raising security awareness (whatever that is) consistently fails to reduce cyber risk.
Why? Because it’s based on flawed logic.
We assume that more information will result in better decision-making… but that just isn’t true. Everybody knows they shouldn’t eat fast food but have you ever seen an empty McDonald’s? I know I haven’t.
So instead of trying to raise awareness, we need to focus our efforts on something that really will help reduce cyber risk: Improving security behaviors.
And given that phishing poses the greatest risk to organizations across the globe, email security behaviors are a good starting point.
Think about what malicious emails are designed to do. At their heart, they are designed to trick average users into compromising your business network. To fight back against phishing, we need to change the way your users interact with their email inboxes.
But the average business user receives hundreds of emails every day, and over time they have developed a series of unconscious habits designed to reduce the amount of time it takes to process them. For starters, most people naturally assume that all of the emails in their inbox are legitimate. After all, there are technical controls in place to block malicious email… right?
How, then, can you go about reconditioning your users’ email habits? Not only do we need users to understand that not all email is legitimate, we also need them to be on the lookout for malicious email every time they check their inbox.
The answer is simple: Develop realistic phishing simulations, routinely send them to your users, and track their response.
Does that seem like an odd thing to do? It shouldn’t.
If you want to change habits that have been embedded over years working in an office environment, offering one or two training sessions per year just isn’t going to cut it. Instead, you’ll need to make security training part of your users’ daily life.
No, of course, there are a few provisos. You can’t simply start flooding your users with complex phishing lures, as they simply won’t be prepared to deal with them.
If you intend to see real, lasting improvements, there are some core principles that you’ll need to keep in mind.
1) Get buy-in from above
As you’ve probably gathered, this type of program isn’t going to solve your security problems overnight. While you will, of course, see substantial improvements within the first few months, lasting success will only come with time and consistency.
Quite simply, you must have the long-term support of your budget holders, and that requires a strong business case, consistent ROI tracking, and regular performance reports.
2) Make success easy
Think about what you’re trying to achieve here. Instead of being tricked by malicious emails, you want your users not only to identify them but also to report them to your security experts. Why? Because whenever a phishing email is reported, you have the opportunity to quarantine similar emails and tighten your technical controls to catch similar emails in future. You can even save reported phishing emails, and use them to inform the production of realistic simulations in the future.
To achieve all this, you first have to convince users to report any email they feel could be malicious. And for that to happen, you’ll need to make the reporting process as easy as it can possibly be.
To that end, I suggest adding a simple “report phish” button to your users’ email client.
3) Training at the point of failure
Here’s the thing about learning a new skill. When you launch this type of program, your users will improve very quickly. But at the same time, they’ll also fail a lot.
But failure isn’t a bad thing. Each time a user “fails” one of your phishing simulations, you should immediately direct them to a multimedia training web page, where they will learn about the type of phishing email they have just seen, and provided with information that will help them to identify similar emails in future.
Then, to ensure these lessons have been fully internalized, you should retest the user a week or so later.
Persistence is Everything
Clearly, the anti-phishing training program I have described here is about as far from traditional awareness training as you can possibly get. Instead of dragging bored users into a stuffy classroom once per year, you’ll be bringing the training directly to them, giving them the opportunity to take an active role in the security of your organization.
But, of course, this process never truly ends. If you care enough about the security of your organization to implement a program like this, you must also ensure the program is maintained over the long term, because if the program is shelved your users will quickly return to their old, bad habits.
And here’s something else to keep in mind. With time and training, your users will become experts at identifying phishing emails… but mistakes will still happen. No matter how hard you try, you’ll never reach a point where 100 percent of phishing emails are identified and reported.
For this reason, it would be foolish to suggest that this type of program can replace the need for high-quality technical controls. Quite the opposite, in fact.
At the start of this article, noted that technology isn’t enough to ensure the security of your organization and that’s true. But what you also have to realize is that people aren’t enough either.
Only by combining technical controls with a highly trained workforce can you truly ensure the continued security of your organization against phishing attacks.
About the Author
Dane Boyd is the Lead Solution Manager for PhishLabs’ Managed Phishing Awareness Training. He has helped dozens of enterprises transform their employees into a powerful layer of threat prevention and detection.
Founded in 2008, PhishLabs provides 24/7 managed security services that protect against phishing attacks. PhishLabs is the only company that protects organizations against phishing attacks that target their customers and employees. The company analyzes millions of potential phishing attacks every day, providing global visibility and insight into the phishing threat landscape. PhishLabs’ experts use this visibility and insight to manage phishing awareness training programs, completely mitigate phishing attacks, and provide impactful threat intelligence. Top financial, healthcare, and technology companies rely on PhishLabs to avoid fraud losses, security incidents, and data breaches due to phishing attacks.
For more information, visit phishlabs.com and follow @phishlabs.