Recent Posts

Recent Blog Posts

The PhishLabs Blog

How to Build a Business Case for Powerful Security Awareness Training

Posted by Lindsey Havens on Nov 29, '16

You're probably thinking security awareness training for employees is a no-brainer, that you shouldn't have to sell the idea up the ranks. However, with several other technology controls in place for securing your organization, you may be faced with a surprising "what's this really necessary" when you slide that line item into next year's budget. 

So you re-consider what you have budgeted and entertain a once-a-year, check-the-box option to satisfy compliance needs. But how much will your organization benefit from this status-quo approach? 

Getting signoff for a security awareness training program that actually works can be much harder.

But it doesn’t have to be. With a little research and a few calculations, you can produce a business case for security awareness training that holds up even under purely financial scrutiny.

Here’s how.  

Read More

Topics: Phishing, Employee Defense Training, security awareness training

Hitting Back Against Security Awareness Training Nay Sayers

Posted by Dane Boyd on Sep 13, '16

There’s a lot of talk in the security industry about the effectiveness of security awareness training for employees. Some highly respected members of the community have repeatedly asserted that it’s a total waste of money, and this sentiment seems to have picked up some momentum in recent years. 

In our last post we discussed human vulnerability in Why Your Users Keep Falling for Phishing Scams. People generally assume anything that makes its way into their inbox is a legitimate attempt to contact them. Just because security professionals see a shady email and think ‘phishing’, doesn’t mean everybody else does, too.

The argument against security awareness training goes that since normal users have no responsibility for network security, and they don’t understand the implications of their actions, it should be down to IT to create an environment in one which can’t harm the organization.

But we disagree.

The fact is that while that is a good target to aim for, it isn’t possible right now, and probably never will be.

Read More

Topics: Employee Defense Training, security awareness training

Why Your Users Keep Falling for Phishing Scams

Posted by Dane Boyd on Sep 7, '16

We’ve all been there. That awful moment, when you realize it’s happened again.

“Why do they never learn?” You ask yourself. “It really isn’t that hard!”

Time and time again, your users click on malicious links and attachments in phishing emails, and it seems like no matter what you do to improve their awareness, it never gets any better.

So why do they keep falling for phishing scams? Is it just complacency? Or something more?

Read More

Topics: Phishing, Spear Phishing, Employee Defense Training, security awareness training

Why Security Awareness Training – Alone – Doesn’t Solve the Spear Phishing Problem

Posted by Jon Hilfiger on Jul 14, '16

Every CISO, in every industry, is aware that spear phishing can be a problem – a big one – despite millions of dollars invested in (necessary) layers of technology defenses. In May 2016, CSO Online reported ANOTHER three firms were hit by targeted phishing attacks – attacks that stole employees W2 data. I guarantee all of these firms had security devices in place on their networks. These attacks were a form of social engineering that bypasses traditional security technologies and much can be done to help enlist employees to be part of any company’s overall defense. Many CISO’s have done just that - taken steps to ensure their employees are aware and work to reduce the likelihood of opening a malicious email. But, this still isn’t solving the spear phishing problem. Companies have been conducting varying degrees of security awareness training for years. But, the attacks are still happening and they are successful in spite of the training. So, what is a well-intentioned CISO to do? Give up? Train more? Find a better training approach?

Read More

Topics: Threat Intelligence, Spear Phishing Protection, T2, Employee Defense Training

Top Five Phishing Awareness Training Fails

Posted by Dane Boyd on Jun 30, '16

Phishing awareness training is an essential security function. But while it may seem straightforward, training employees to spot phishing attacks is no simple task. Done poorly, phishing awareness training can be counterproductive and leave your organization more vulnerable instead of more secure.   Here are 5 common pitfalls to avoid when training your users to spot and report phishing attacks.

Read More

Topics: Employee Defense Training, security awareness training

Six Steps to Train Your Users to Fight Cybercrime

Posted by Maria O'Dwyer on Apr 7, '16

Stopped in traffic on my commute home it hit me…(not the person texting and driving) but the idea that I’d just been miyagi’d!

Every day I have the pleasure of speaking with Information Security leaders across multiple verticals. I learn about the challenges they face and the Security Awareness Programs that they have implemented to foster a security vigilant environment.

Read More

Topics: Employee Defense Training, security awareness training, EDT

What Makes a Good Simulated Phish?

Posted by Stephanie Fauvelle on Mar 31, '16


If your security awareness training provider offers personal banking phishing templates, then it’s a good idea to re-think your provider. Why? Because phishers aren’t sending fraudulent banking alerts to corporate accounts. Besides, who links their bank account to their work email anyway? Phishers continue to up their game, moving away from sloppy phishing emails ripe with spelling mistakes and other recognizable signs to sending craftier, what we’ll call, “lite” spear phish.

Read More

Topics: T2, Phishing Simulation, Employee Defense Training, EDT

Why Your Advanced Spam Filter Isn't Enough

Posted by Dane Boyd on Mar 29, '16

Advanced spam filters are a wonderful thing. Don’t get me wrong. But they aren’t enough to protect your organization from a phishing attack. If you’ve heard it once, then you’ve heard it a million times, it takes just one employee to click a malicious link or download an infected document to give your IT Support a headache or, much worse, cause a data breach.  

Read More

Topics: Phishing, Spear Phishing, Employee Defense Training, EDT

Building a Business Case for Effective Security Awareness Training

Posted by Jenny Dowd on Mar 18, '16

Security education programs are sometimes mandated, always important, and often difficult to justify the investment. It is easy to get the powers that be to sign off on a once-per-year security awareness training program that will satisfy compliance requirements, but we all know by now that compliance does not equal security.

The Information Security Forum (ISF) has defined information security awareness as an ongoing process of learning that is meaningful to recipients, and delivers measurable benefits to the organization from lasting behavioral change.

So to achieve this, a bigger investment, in both time and money, is needed to implement a continuous security awareness training program that is effective at changing employee behavior – one that includes ongoing simulation training. More money, more time invested, and a goal to change employee behavior means more stakeholder approval will be required.

Read More

Topics: Awareness Training, T2, Phishing Simulation, Employee Defense Training

5 Tips for Evaluating Phishing Simulation Solutions

Posted by Jenny Dowd on Feb 17, '16

Setting up an effective security awareness training program

There are plenty of articles out there touting the ineffectiveness of security awareness training. I do not disagree, because a lot of solutions out there enable you to ‘check the box’ on your compliance requirement for employee training, but they do little to condition your employees not to fall victim to spear phishing attacks. We recently published a blog post on why the right kind of security awareness training is effective – and crucial.

Once a year compliance training for information security will not motivate your employees to change their behaviors, nor will it lead to meaningful long-term retention of the lessons. A program based on current, real-world attack data, with on-going simulation training will yield greater results by reducing your employees’ susceptibility to phishing attacks and conditioning them to report potential threats.

Read More

Topics: T2, Employee Defense Training, security awareness training


What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Upcoming Events


Posts by Topic

see all