Over the last several weeks, phishing, spear phishing, and social engineering attacks have dominated headlines. But, phishing isn’t a new problem. These scams have been circulating since the mid-’90s.
So, what can security leaders do to prevent being targeted? Unfortunately, not much. Hackers play the odds and fire off thousands of phishing emails at a time, hoping that at least a few will be successful. The key, then, is to train employees to spot these scams.
That’s why phishing awareness training is such an essential part of any cybersecurity strategy. But is phishing awareness training alone enough?
Keep reading to find out the pros and cons of phishing awareness training as well as the steps security leaders need to take to level up their inbound threat protection.
To make this article easy-to-navigate, we’ll start with a simple list of the pros and cons of phishing awareness training. For more information about each point, you can click the text to jump down on the page.
While people working in security, IT, or compliance are all-too-familiar with phishing, spear phishing, and social engineering, the average employee isn’t. The reality is, they might not have even heard of these terms.
That means phishing awareness training is an essential first step. To successfully spot a phish, they have to know they exist.
By showing employees examples of attacks – including the subject lines to watch out for, a high-level overview of domain impersonation, and the types of requests hackers will generally make – they’ll immediately be better placed to identify what is and isn’t a phishing attack.
Looking for resources to help train your employees? Check out this blog with a shareable PDF. It includes examples of phishing attacks and reasons why the email is suspicious.
Again, showing employees what phishing attacks look like is step one. But ensuring they know what to do if and when they receive one is an essential next step and is your chance to remind employees of existing policies and procedures. For example, who to report attacks to within the security or IT team.
Importantly, though, phishing awareness training should also reinforce the importance of other policies, specifically around creating strong passwords, storing them safely, and updating them frequently. After all, credentials are the number one “type” of data hackers harvest in phishing attacks.
By getting teams across departments together for training sessions and phishing simulations, security leaders will get a birds’ eye view of employee behavior. Are certain departments or individuals more likely to click a malicious link than others? Are senior executives skipping training sessions? Are new-starters struggling to pass post-training assessments?
These observations will help security leaders stay ahead of security incidents, can inform subsequent training sessions, and could help pinpoint gaps in the overall security framework.
While you can read more about various compliance standards – including GDPR, CCPA, HIPAA, and GLBA – on our compliance hub, they all include a clause that outlines the importance of implementing proper data security practices.
What are “proper data security practices?” This criterion has – for the most part – not been formally defined. But, phishing awareness training is certainly a step in the right direction and demonstrates a concerted effort to secure data company-wide.
In the last several years (due in part to increased regulation) cybersecurity has become business-critical. But, it takes a village to keep systems and data safe, which means accountability is required from everyone to make policies, procedures, and tech solutions truly effective.
That’s why creating and maintaining a strong security culture is so important. While this is easier said than done, training sessions can help encourage employees – whether in finance or sales – to become less passive in their roles as they relate to cybersecurity, especially when gamification is used to drive engagement. You can read more about creating a positive security culture on our blog.
The point of phishing awareness training is to prevent successful attacks in the workplace. But, it’s important to remember that phishing attacks are targeted at consumers, too. That’s why the most frequently impersonated brands are household names like Netflix and Facebook.
Why does this matter? Because phishing attacks have serious consequences, and not just for larger organizations. If an employee was scammed in a consumer attack, they could lose thousands of dollars or even have their identity stolen. It’s hard to imagine a world in which this wouldn’t affect their work.
The bottom line: prevention is better than cure and knowledge is power. Phishing awareness training won’t just protect your organization’s data and assets, it’ll empower your people to protect themselves outside of the office, too.
While phishing awareness training will help employees spot phishing scams and make them think twice before clicking a link or downloading an attachment, it’s not a silver bullet.
Even the most security-conscious and tech-savvy employees can – and do – fall for phishing attacks. Case in point: Employees working in the tech industry are the most likely to click on links in phishing emails, with nearly half (47%) admitting to having done it. This is 22% higher than the average across all industries.
As the saying goes, to “err is human”.
Hackers think and move quickly and are constantly crafting more sophisticated attacks to evade detection. That means that training that was relevant three months may not be today.
We only have to look at the spike in COVID-19 themed phishing attacks starting in March for proof. Prior to the outbreak of the pandemic, very few phishing awareness programs would have trained employees to look for impersonations of the World Health Organization, for example. Likewise, impersonations of collaboration tools like Zoom took off as soon as workforces shifted to remote-working. (Click here for more real-life examples of COVID-19 phishing emails.)
What could be next?
According to Mark Logsdon, Head of Cyber Assurance and Oversight at Prudential, there are three fundamental flaws in training: it’s boring, often irrelevant, and expensive. We’ll cover the first two below but, for now, let’s focus on the cost.
Needless to say, the cost of training and simulation software varies vendor-by-vendor. But, the solution itself is far from the only cost to consider. What about lost productivity?
Imagine you have a 1,000-person organization and, as a part of an aggressive inbound strategy, you’ve opted to hold training every quarter. Training lasts, on average, three hours. That’s 12,000 lost hours a year.
While – yes – a successful attack would cost more, we can’t forget that phishing awareness training alone doesn’t work. (See point 1: Phishing awareness training can’t prevent human error.)
Going back to what Mark Logsdon said: Training is boring and often irrelevant. It’s easy to see why. You can’t apply one lesson to an entire organization – whether it’s 20 people or 20,0000 – and expect it to stick. It has to be targeted based on age, department, and tech-literacy.
Age is especially important.
According to Tessian’s latest research, nearly three-quarters of respondents who admitted to clicking a phishing email were aged between 18-40 years old. In comparison, just 8% of people over 51 said they had done the same. However, the older generation was also the least likely to know what a phishing email was.
Jeff Hancock, the Harry and Norman Chandler Professor of Communication at Stanford University and expert in trust and deception, explained how tailored training programs could help.
“A one-size-fits-all approach won’t work. Different generations have grown up with tech in different ways, and security training needs to reflect this. That’s not to say that we should think that people over 50 are tech-illiterate, though. Businesses need to consider what motivates each age group and tailor training accordingly.”
“Being respected at work is incredibly important to an older generation, so telling them that they don’t understand something isn’t an effective way to educate them on the threats. Instead, businesses should engage them in a conversation, helping them to identify how their strengths and weaknesses could be used against them in an attack.”
“Many younger employees, on the other hand, have never known a time without the internet and they don’t want to be told how to use it. This generation has a thirst for knowledge, so teach them the techniques that hackers will use to target them. That way, when they see a scam, they’ll be able to unpick it and recognize the tactics being used on them.”
Unfortunately, the average employee is less focused on cybersecurity and more focused on getting their jobs done. That’s why one-third (33%) rarely or never think about security and work and over half (54%) of employees say they’ll find a workaround if security software or policies prevent them from doing their job.
While – yes – security leaders can certainly reinforce the importance of software and policies, training alone won’t help control employee’s behavior or inspire every single person to become champions of cybersecurity.
It’s widely accepted that time pressure negatively impacts decision accuracy. But did you know that individuals who are expected to respond to emails quickly are also the most likely to click on phishing emails?
It makes sense. If you’re rushing to read and fire off emails – especially when you’re working off of laptops, phones, and even watches – you’re more likely to make mistakes.
The short answer: Absolutely. Phishing awareness training programs can help teach employees what phishing is, how to spot phishing emails, what to do if they’re targeted, and the implications of falling for an attack.
But, as we’ve said, training isn’t a silver bullet. It will curb the problem, but it won’t prevent mistakes from happening. That’s why security leaders need to bolster training with technology that detects and prevents inbound threats. That way, employees aren’t the last line of defense.
But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in.
Tessian fills a critical gap in security strategies that SEGs, spam filters, and training alone can’t.
By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to detect a wide range of impersonations, spanning more obvious, payload-based attacks to difficult-to-spot social-engineered ones like CEO Fraud and Business Email Compromise.
Once detected, real-time warnings are triggered and explain exactly why the email was flagged, including specific information from the email. (See below.) This is an important function. Why? Because, according to Jeff, “People learn best when they get fast feedback and when that feedback is in context,”
These in-the-moment warnings reinforce training and policies and help employees improve their security reflexes over time. To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today.