Every CISO, in every industry, is aware that spear phishing can be a problem – a big one – despite millions of dollars invested in (necessary) layers of technology defenses. In May 2016, CSO Online reported ANOTHER three firms were hit by targeted phishing attacks – attacks that stole employees W2 data. I guarantee all of these firms had security devices in place on their networks. These attacks were a form of social engineering that bypasses traditional security technologies and much can be done to help enlist employees to be part of any company’s overall defense. Many CISO’s have done just that - taken steps to ensure their employees are aware and work to reduce the likelihood of opening a malicious email. But, this still isn’t solving the spear phishing problem. Companies have been conducting varying degrees of security awareness training for years. But, the attacks are still happening and they are successful in spite of the training. So, what is a well-intentioned CISO to do? Give up? Train more? Find a better training approach?
Ahh, employees. They’re your greatest asset and your weakest link.
After all, it takes just one employee to click on a malicious link in a phishing email that leads to a data breach, compromising your entire organization. No matter how great your training is, the human vulnerability can still be exploited by a crafty phishing email.
And apparently, there’s more than just one employee with risky behavior: the proportion of infections that result from user behaviors is between 70 and 95 percent.
But … why?
If your security awareness training provider offers personal banking phishing templates, then it’s a good idea to re-think your provider. Why? Because phishers aren’t sending fraudulent banking alerts to corporate accounts. Besides, who links their bank account to their work email anyway? Phishers continue to up their game, moving away from sloppy phishing emails ripe with spelling mistakes and other recognizable signs to sending craftier, what we’ll call, “lite” spear phish.
Security education programs are sometimes mandated, always important, and often difficult to justify the investment. It is easy to get the powers that be to sign off on a once-per-year security awareness training program that will satisfy compliance requirements, but we all know by now that compliance does not equal security.
The Information Security Forum (ISF) has defined information security awareness as an ongoing process of learning that is meaningful to recipients, and delivers measurable benefits to the organization from lasting behavioral change.
So to achieve this, a bigger investment, in both time and money, is needed to implement a continuous security awareness training program that is effective at changing employee behavior – one that includes ongoing simulation training. More money, more time invested, and a goal to change employee behavior means more stakeholder approval will be required.
Setting up an effective security awareness training program
There are plenty of articles out there touting the ineffectiveness of security awareness training. I do not disagree, because a lot of solutions out there enable you to ‘check the box’ on your compliance requirement for employee training, but they do little to condition your employees not to fall victim to spear phishing attacks. We recently published a blog post on why the right kind of security awareness training is effective – and crucial.
Once a year compliance training for information security will not motivate your employees to change their behaviors, nor will it lead to meaningful long-term retention of the lessons. A program based on current, real-world attack data, with on-going simulation training will yield greater results by reducing your employees’ susceptibility to phishing attacks and conditioning them to report potential threats.
With all of the companies out there offering their latest and greatest security awareness training products, it’s worth asking, is this a waste of my company’s money? Jerry Bell and Andrew Kalat, from the Defensive Security Podcast, argue that expecting your employees to be your first line of defense is “completely BS.” They believe that implementing a security awareness training program that includes simulated phishing tests gives a false sense of hope and ultimately, isn’t worth the money. What does the evidence say?
Recently, I had a call with a rather prominent analyst in the cyber security community. We were having a pretty good conversation about security awareness training, focusing on the T2 Employee Defense Training service we launched this week. As the conversation was wrapping up, he said, “You know, I’ve always believed that trying to train employees for phishing emails was pointless. No matter how good the training is, someone is still going to fall for an attack. So why even bother?”
Today we announced a new solution that I believe will transform how organizations counter spear phishing attacks. We call it T2 Spear Phishing Protection, and it takes advantage of our deep insight into phishing attacks to prepare organizations for the real-world attacks they're most likely to be targeted with, and then mitigate those attacks before damage is done. To do this, it enlists employees in the defensive network and uses our 24/7 SOC to analyze and respond to threats.