It’s not exactly a secret that most security awareness training programs are… less than effective.
Something about the 12-month gap between sessions, decade-old content, and total lack of user engagement seems to limit the potential for behavioral change.
We can’t imagine why.
But if you’re reading this, it’s a reasonable bet that you take security awareness more seriously than many of your peers.
If you’ve been following the blog for a while, you’ll already be aware of the huge threat posed by phishing to organizations of all types and sizes. You’ll also realize technical security controls are simply not enough to secure your organization against the volume and sophistication of incoming phishing attacks.
What, then, can you do to maximize the impact of your security awareness training program, particularly as it relates to fighting phishing?
Well, for starters, you need to understand one simple truth.
For a deep dive in to the fifteen best practices that will transform an enterprise's users into security assets, dowload the Best Practices for Enterprise Phishing Protection White Paper.
Education Won’t Cut It
Education is great. It really is. After all, how can you expect to get better at something without learning the theory surrounding it?
But unfortunately, many people seem to be laboring under the impression that more information can change behaviors in isolation.
Think about it. As an industry, we don’t talk about security training for end users… we talk about security awareness training. As if improving users’ security awareness will automatically enable them to spot and report phishing emails.
From experience, we can tell you that it doesn’t. But you don’t need us to tell you that.
Do public awareness campaigns on healthy eating lead people to make better dietary decisions? Clearly not.
How about smoking? Does knowing cigarettes cause cancer lead fewer people to take up smoking? Nope.
In fact, research has repeatedly demonstrated that marketing campaigns pointing out the very unambiguous fact that smokers die younger have almost no impact on the uptake of smoking in young people.
But if education won’t do the job, where does that leave us?
Practice Makes Permanent
Perhaps it will help to think about the problem in a slightly different way. If you wanted to get really good at playing the guitar, what would you do?
Well, for starters, you might read a “How-To” book or website, or watch a few videos on YouTube. After all, you’d need to know what type of guitar to buy, where the best learning resources are, and so on.
But once that was all out of the way, what would come next? Pretty obviously, you’d need to… pick up a guitar and start plucking away. It would never occur to you to try learning without actually spending time with the instrument.
So why, then, do so many organizations obsessively pursue security awareness without giving their users a chance to practice?
High level sports teams spend hours honing their skills every day. Military personnel practice the same skills and tactics over and over again to ensure mastery.
Even hobbyists take time out on a regular basis to play their instruments, practice their crafts, or kick a ball around with their friends. If they didn’t they simply wouldn’t get anywhere.
Changing Email Behaviors
So how does all this pertain to the fight against phishing? If you can’t just give users information and expect them to start spotting and reporting phishing lures, what do you need to do?
Here are the basic rules to build your program around:
- Identify the skill you’re trying to build - In this case, the ability to identify and report phishing emails.
- Provide just enough education for users to get started - Don’t overdo it. To start with, users just need to understand that not all email is legitimate, and be talked through a few samples of phishing lures.
- Provide opportunities for real-world practice - Quite simply, users need to see phishing lures in their inbox on a regular basis. To achieve this, create your own realistic lures, and use them to “test” you users’ level of ability.
- Be consistent - Testing users once or twice isn’t enough. To ensure lessons are fully learned and retained, users should be tested at least once per month.
Now of course, all this is easier said than done. We’re talking about a program that goes well beyond the standard annual training session that most organizations adhere to. You’ll need to get executive buy-in, learn how to create realistic phishing lures on a regular basis, and engage with your users to ensure they are getting the support they need.
But here’s the thing. Unlike the typical approach to security awareness, this way actually works.
Want To Know More?
If your organization is ready to fight back against phishing, we’ve got plenty more to offer. To get started, check out our recent webinar on Best Practices for Enterprise Phishing Protection which covers everything in this post and much more.