Ahh, employees. They’re your greatest asset and your weakest link.
After all, it takes just one employee to click on a malicious link in a phishing email that leads to a data breach, compromising your entire organization. No matter how great your training is, the human vulnerability can still be exploited by a crafty phishing email.
And apparently, there’s more than just one employee with risky behavior: the proportion of infections that result from user behaviors is between 70 and 95 percent.
But … why?
It’s not for lack of resources. Training and education around security isn’t just ubiquitous – it’s required to be in compliance. So how can there be so much user error in spite of so many programs? How can the training programs fail with the same frequency as the problems they are trying to prevent?
It’s because they’re being doctors when they should be personal trainers.
Let me explain...
The doctor admonishes you to lose weight. You’re at your annual checkup –the one required by insurance - she told you to do the exact same thing last year at your appointment. Lose weight. Again, she reviews the scary statistics and makes sure you understand the risks – that blood pressure and cholesterol of yours isn’t getting any lower and, remember, you’re not getting any younger. Before leaving, feeling a bit older, fatter, and more scared than when you arrived, she hands you a brochure outlining required information related to exercise and weight loss.
Yes, it’s all relevant information – you know your risks - but is it enough to change your behavior on a day-to-day, decision-by-decision basis?
Probably not. (The $40-50 billion Americans spend annually on weight loss programs attests to the fact that you’re not alone).
But, wise and motivated as you are, you know you need more than just a basic education to be successful. You need something – or someone – to help you change your behavior so that you can meet your goal of losing weight. So you find that someone - a personal trainer who will meet you at the gym in the early morning hours, monitor your diet and check your food diary to show you how to avoid all those lovely temptations, distractions and situations that will get you into trouble.
To have the greatest chance of successfully losing weight, which do you think would help you meet your goal? Your doctor or your personal trainer? The answer is obvious: the personal trainer – the one who will help you change your daily behavior. For good.
Same with security. If you want fewer phishing attacks, your employees need to change their behavior. For good – and for the good of your organization.
The Doctor Approach to Security Awareness Training
When it comes to security awareness training, most programs take the doctor approach. Steve Ragan, the author of “No Money, No Problem: Building a Security Awareness Program on a Shoestring Budget”, says: “it gives employees – and tests their knowledge on – a structured set of rules, which is what most auditors will look for when assessing compliance.”
And much like the doctor, while it’s good information, it isn’t enough to ensure that people will actually behave securely.
And the Personal Trainer Approach …
Alternatively, when you approach security awareness as a personal trainer, your focus is on changing people’s security-related behavior, which in turn strengthens the security culture. And this is what’s missing from most security awareness programs.
Just as training your body in healthier exercise behavior takes time, training your staff to recognize and report phishing attacks is an ongoing process. Like any aspect of human behavior– from our fitness routines (where the tendency is to be lazy) to our email habits (where the tendency is to click on everything)- change requires ongoing exposure and continual reinforcement.
This is what Phishlabs offers through our T2 Employee Defense Training - designed from the ground up to transform your employees -your most exploited vulnerability- into your most powerful security asset.
It’s the personal trainer of phishing awareness: your employees are conditioned by real-world phishing attacks that are most likely to target them.
So when it comes to security awareness programs and your employees – valuable and volatile as they are – ask yourself: “Is this program a personal trainer – is it actually conditioning our employees to recognize and report phishing attacks?”
If yes, go forward.
If not, contact us.