With all of the companies out there offering their latest and greatest security awareness training products, it’s worth asking, is this a waste of my company’s money? Jerry Bell and Andrew Kalat, from the Defensive Security Podcast, argue that expecting your employees to be your first line of defense is “completely BS.” They believe that implementing a security awareness training program that includes simulated phishing tests gives a false sense of hope and ultimately, isn’t worth the money. What does the evidence say?
They begin their argument stating that no matter the amount of training, employees eventually fall victim to a phishing attack because phishing attacks do not occur in a vacuum. They aren’t wrong. A successful phishing attack does not occur in a vacuum, but in the humdrum of everyday life, when your employees are tired, stressed, rushed or simply just, unaware. This is exactly why testing your employees is crucial. By testing your employees with simulated phishing attacks throughout the year, you are training them in the same context in which they are most likely to be attacked. If an employee learns to spot a simulated phishing attack, you’ve increased the chance that they will also be able to recognize a real phishing attack.
What Jerry and Andrew are right about, is that annual computer-based training is not effective in teaching your employees to avoid clicking a phish. With the average person’s attention span being shorter than that of a goldfish (unfortunately, we aren’t kidding), requiring a person to watch a 45 minute video and then expecting them to apply the information for up to a year is , well, simply unrealistic. In order for employee training to be worth your money, it should reflect real-world phishing attacks, be succinct, engaging and delivered immediately at the point of failure.
The podcast authors go on to say that training employees to be cautious about opening emails is “unrealistic.” However, companies that undergo regular simulated phishing tests experience significant decreases in click-rates. We’ve seen a company go from a 20 percent click-rate to 6 percent from just one campaign to the next, demonstrating that employees can and do become more careful when checking their emails.
Many claim that the onus of network security should be on technology and not on the company’s employees. The truth is, there is no silver bullet piece of technology today that can protect your employees against malicious emails 100 percent of the time. This is because attackers are constantly changing their methods of attack. If technology alone were the answer today, you would not continue to read about data breaches in the news, including the 781 that occurred in 2015. Heavily investing in technology is vital to your organization’s security, but it is no longer a complete solution. Training employees is not meant to replace technological controls, but to bridge the gap of what technology cannot yet provide.
The average cost of a data breach is $3.5 million, which does not even factor in reputational damage. The technological security controls available today are not 100 percent foolproof. If you could teach your employees not to click on a phishing email that could potentially cost your company millions of dollars, then the answer to the question must be, yes, employee training is worth it.
For more on this topic, please join us for a webinar on February 25, 2016: Turn your Employees into Security MVPs
Information on PhishLabs Employee Defense Training can be found here.