Making the move from the typical security awareness training approach to a powerful anti-phishing program isn’t an easy sell.
It’s that time of year again.
A day of romance, crowded restaurants, overblown gestures of love, and…
Well. You get the idea.
For those of us in the security world there’s another, less enjoyable component to Valentine’s Day. Yes, even less enjoyable than trying to share a romantic meal while sitting less than a foot away from four other couples.
Yes, I’m talking about holiday themed phishing scams. We’ve written about this precise topic many times before (including last Valentine’s Day) but so far we’ve never tackled the specific scams that surround this romance-centric annual event.
So before you send those dutch-courage fueled love notes, just take a moment to consider…
Frustrating, isn’t it?
You design a powerful anti-phishing program, secure funding from your executive board, provide world-class training. You do everything right…
Oh, your users are probably spotting phishing emails. After all, they’ve engaged with the training, and seem to be taking it seriously.
But no matter how many times you remind them, they just won’t report those phishing emails.
In most organizations, a user who can identify and delete phishing emails is considered a huge asset.
And, let’s be honest, they’re certainly a big step in the right direction. Users who can't spot a simple phishing email can easily jeopardize the security of an entire organization, even with a comprehensive set of technical security controls in place.
But in our eyes, there’s still a long way for these users to go. Deleted phish are better than clicked phish, but they shouldn’t be the end goal.
Training users to identify and report phishing emails is far from an overnight fix.
It takes time, persistence, and engagement to make a meaningful impact on user email behaviors.
But you already knew that, didn’t you? In fact, you probably already have a program in place to help users identify potentially malicious emails.
You're probably thinking security awareness training for employees is a no-brainer, that you shouldn't have to sell the idea up the ranks. However, with several other technology controls in place for securing your organization, you may be faced with a surprising "what's this...is this really necessary" when you slide that line item into next year's budget.
So you re-consider what you have budgeted and entertain a once-a-year, check-the-box option to satisfy compliance needs. But how much will your organization benefit from this status-quo approach?
Getting signoff for a security awareness training program that actually works can be much harder.
But it doesn’t have to be. With a little research and a few calculations, you can produce a business case for security awareness training that holds up even under purely financial scrutiny.
There’s a lot of talk in the security industry about the effectiveness of security awareness training for employees. Some highly respected members of the community have repeatedly asserted that it’s a total waste of money, and this sentiment seems to have picked up some momentum in recent years.
In our last post we discussed human vulnerability in Why Your Users Keep Falling for Phishing Scams. People generally assume anything that makes its way into their inbox is a legitimate attempt to contact them. Just because security professionals see a shady email and think ‘phishing’, doesn’t mean everybody else does, too.
The argument against security awareness training goes that since normal users have no responsibility for network security, and they don’t understand the implications of their actions, it should be down to IT to create an environment in one which can’t harm the organization.
But we disagree.
The fact is that while that is a good target to aim for, it isn’t possible right now, and probably never will be.
We’ve all been there. That awful moment, when you realize it’s happened again.
“Why do they never learn?” You ask yourself. “It really isn’t that hard!”
Time and time again, your users click on malicious links and attachments in phishing emails, and it seems like no matter what you do to improve their awareness, it never gets any better.
So why do they keep falling for phishing scams? Is it just complacency? Or something more?
Every CISO, in every industry, is aware that spear phishing can be a problem – a big one – despite millions of dollars invested in (necessary) layers of technology defenses. In May 2016, CSO Online reported ANOTHER three firms were hit by targeted phishing attacks – attacks that stole employees W2 data. I guarantee all of these firms had security devices in place on their networks. These attacks were a form of social engineering that bypasses traditional security technologies and much can be done to help enlist employees to be part of any company’s overall defense. Many CISO’s have done just that - taken steps to ensure their employees are aware and work to reduce the likelihood of opening a malicious email. But, this still isn’t solving the spear phishing problem. Companies have been conducting varying degrees of security awareness training for years. But, the attacks are still happening and they are successful in spite of the training. So, what is a well-intentioned CISO to do? Give up? Train more? Find a better training approach?
Phishing awareness training is an essential security function. But while it may seem straightforward, training employees to spot phishing attacks is no simple task. Done poorly, phishing awareness training can be counterproductive and leave your organization more vulnerable instead of more secure. Here are 5 common pitfalls to avoid when training your users to spot and report phishing attacks.