Recently, I had a call with a rather prominent analyst in the cyber security community. We were having a pretty good conversation about security awareness training, focusing on the T2 Employee Defense Training service we launched this week. As the conversation was wrapping up, he said, “You know, I’ve always believed that trying to train employees for phishing emails was pointless. No matter how good the training is, someone is still going to fall for an attack. So why even bother?”
Needless to say, that wasn’t quite what I was hoping to hear while in the middle of launching a phishing simulation and training service. In my mind, I began queuing up my usual response to that argument. But before I could jump in, the analyst picked back up. “But, after hearing about what PhishLabs is doing, you’ve convinced me otherwise. This is a brilliant approach to phishing.” (The underline was my addition. He didn’t actually underline “brilliant” as he spoke. But it sure sounded like it to me. So it’s underlined.)
Let me explain. The argument that I thought the analyst was about to make is a legit beef with the way most vendors approach security awareness training. You hear a lot of sales pitches to “Patch your human vulnerability.” And like most sales pitches, it’s nonsense. You can’t patch the human vulnerability. It’s not “patch-able.” A good software patch removes the desired vulnerability. You can’t exploit the vulnerability post-patch because it no longer exists.
But no matter how awesome the training is (and ours is!), the human vulnerability can still be exploited by a well-crafted spear phishing email. Employees are human. They will make mistakes. Expecting awareness training to keep 100% of your employees from making the wrong decision is unreasonable. And most people in the security industry get that.
But that just puts us where our friend, the analyst, was. If you can’t keep that one person from clicking no matter what you do, why even bother?
The answer to that might be a bit, well, confusing. That’s because the reason you would ask “why even bother?” is the same reason that you should actually bother with awareness training: “Because you can’t keep that one person from clicking no matter what you do.”
That’s some M. Night Shyamalan stuff right there, isn’t it? But think about it. It is a fact that someone in your organization is going to fall for a phishing attack. There’s nothing you can do to prevent that from happening at some point. And when you accept that fact, the question then becomes “How can I detect it when it happens, and respond in time to make a difference?”
That’s where security awareness training comes back in. A good awareness training program conditions your employees not just to avoid falling for phishing emails, but to report phishing attacks to your security team. I like to refer to this as “enlisting employees in your defensive network.” With your employees reporting potential threats, you have the visibility you need to detect those attacks that make it into user inboxes. And that gives you the opportunity to prevent an adversary from moving deeper into your network.
It seems simple, but it’s a big change to the dynamics at play here. It’s no longer a rigged game where an adversary just has to get one person to click to win. Instead, it doesn’t matter as much if someone clicks something they shouldn’t. As long as someone else in your “employee defense network” reports it, you have a fighting chance to mitigate the threat before major damage is done.
This is a big part of what the analyst I was talking about earlier referred to as “brilliant” regarding our approach to phishing. It’s the fundamental concept behind T2 Employee Defense Training, which is designed from the ground up to turn your employees into a powerful threat detection layer.
So if you’re on the fence about security awareness training, consider the above and what you’re trying to accomplish. If you already have a security awareness training program in place and are questioning the value, take a hard look at the program and ask “Is this actually conditioning our employees to recognize and report phishing attacks?” If the answer is “no” or even “kinda sorta” give us a call. We’ll get you on the right path.
For more on this topic, please join us for a webinar on February 25, 2016: Turn your Employees into Security MVPs