Phishing awareness training is an essential part of any cybersecurity strategy. But is it enough on its own? This article will look at the pros and cons of phishing awareness training—and consider how you can make your security program more effective.
✅ Pros of phishing awareness training
Employees learn how to spot phishing attacks
While people working in security, IT, or compliance are all too familiar with phishing, spear phishing, and social engineering, the average employee isn’t. The reality is, they might not have even heard of these terms, let alone know how to identify them.
But, by showing employees examples of attacks – including the subject lines to watch out for, a high-level overview of domain impersonation, and the types of requests hackers will generally make – they’ll immediately be better placed to identify what is and isn’t a phishing attack.
Looking for resources to help train your employees? Check out this blog with a shareable PDF. It includes examples of phishing attacks and reasons why the email is suspicious.
It’s a good chance to remind employees of existing policies and procedures
Enabling employees to identify phishing attacks is important. But you have to make sure they know what to do if and when they receive one, too. Training is the perfect opportunity to remind employees of existing policies and procedures. For example, who to report attacks to within the security or IT team.
Training should also reinforce the importance of other policies, specifically around creating strong passwords, storing them safely, and updating them frequently. After all, credentials are the number one “type” of data hackers harvest in phishing attacks.
Security leaders can identify particularly risky and at-risk employees
By getting teams across departments together for training sessions and phishing simulations, security leaders will get a birds’ eye view of employee behavior. Are certain departments or individuals more likely to click a malicious link than others? Are senior executives skipping training sessions? Are new-starters struggling to pass post-training assessments?
These observations will help security leaders stay ahead of security incidents, can inform subsequent training sessions, and can help pinpoint gaps in the overall security strategy.
Training satisfies compliance standards
While you can read more about various compliance standards – including GDPR, CCPA, HIPAA, and GLBA – on our compliance hub, they all include a clause that outlines the importance of implementing proper data security practices.
What are “proper data security practices?” This criterion has – for the most part – not been formally defined. But, phishing awareness training is certainly a step in the right direction and demonstrates a concerted effort to secure data company-wide.
It helps organizations foster a strong security culture
In the last several years (due in part to increased regulation) cybersecurity has become business-critical. But, it takes a village to keep systems and data safe, which means accountability is required from everyone to make policies, procedures, and tech solutions truly effective.
That’s why creating and maintaining a strong security culture is so important. While this is easier said than done, training sessions can help encourage employees – whether in finance or sales – to become less passive in their roles as they relate to cybersecurity, especially when gamification is used to drive engagement.
You can read more about creating a positive security culture on our blog.
❌ Cons of phishing awareness training
Training alone can’t prevent human error
People make mistakes. Even if you hold a three-hour-long cybersecurity training session every day of the week, you’ll never be able to eliminate the possibility of human error. Don’t believe us? Take it from the U.K.’s National Cyber Security Centre (NCSC) “Spotting phishing emails is hard, and spear phishing is even harder to detect. Even experts from the NCSC struggle. The advice given in many training packages, based on standard warnings and signs, will help your users spot some phishing emails, but they cannot teach everyone to spot all phishing emails.”
That’s right, even the U.K.’s top cybersecurity experts can’t always spot a phishing scam. Social engineering incidents—attacks that play on people’s emotions and undermine their trust—are becoming increasingly sophisticated.
For example, using Account Takeover techniques, cybercriminals can hack your vendors’ email accounts and intercept email conversations with your employees. The signs of an account take-over attack, such as minor changes in the sender’s writing style, are imperceptible to humans.
Phishing awareness training is always one step behind
Hackers think and move quickly and are constantly crafting more sophisticated attacks to evade detection. That means that training that was relevant three months may not be today. In the last year, we’ve seen bad actors leverage COVID-19, Tax Day, furlough schemes, unemployment checks, and the vaccine roll-out to trick unsuspecting targets.
What could be next?
According to Mark Logsdon, Head of Cyber Assurance and Oversight at Prudential, there are three fundamental flaws in training: it’s boring, often irrelevant, and expensive. We’ll cover the first two below but, for now, let’s focus on the cost.
Needless to say, the cost of training and simulation software varies vendor-by-vendor. But, the solution itself is far from the only cost to consider. What about lost productivity?
Imagine you have a 1,000-person organization and, as a part of an aggressive inbound strategy, you’ve opted to hold training every quarter. Training lasts, on average, three hours. That’s 12,000 lost hours a year.
While – yes – a successful attack would cost more, we can’t forget that training alone doesn’t work. (See point 1: Phishing awareness training can’t prevent human error.)
Phishing awareness training isn’t targeted (or engaging) enough
Going back to what Mark Logsdon said: Training is boring and often irrelevant. It’s easy to see why. You can’t apply one lesson to an entire organization – whether it’s 20 people or 20,0000 – and expect it to stick. It has to be targeted based on age, department, and tech-literacy. Age is especially important.
According to Tessian’s latest research, nearly three-quarters of respondents who admitted to clicking a phishing email were aged between 18-40 years old. In comparison, just 8% of people over 51 said they had done the same. However, the older generation was also the least likely to know what a phishing email was.
Jeff Hancock, the Harry and Norman Chandler Professor of Communication at Stanford University and expert in trust and deception, explained how tailored training programs could help.
“A one-size-fits-all approach won’t work. Different generations have grown up with tech in different ways, and security training needs to reflect this. That’s not to say that we should think that people over 50 are tech-illiterate, though. Businesses need to consider what motivates each age group and tailor training accordingly. Being respected at work is incredibly important to an older generation, so telling them that they don’t understand something isn’t an effective way to educate them on the threats. Instead, businesses should engage them in a conversation, helping them to identify how their strengths and weaknesses could be used against them in an attack. Many younger employees, on the other hand, have never known a time without the internet and they don’t want to be told how to use it. This generation has a thirst for knowledge, so teach them the techniques that hackers will use to target them. That way, when they see a scam, they’ll be able to unpick it and recognize the tactics being used on them.”
Should I create a phishing awareness training program?
The short answer: “Yes”.
These programs can help teach employees what phishing is, how to spot phishing emails, what to do if they’re targeted, and the implications of falling for an attack.
But, as we’ve said, training isn’t a silver bullet. It will curb the problem, but it won’t prevent mistakes from happening. That’s why security leaders need to bolster training with technology that detects and prevents inbound threats. That way, employees aren’t the last line of defense.
But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in.
How does Tessian detect and prevent targeted phishing attacks?
Tessian fills a critical gap in security strategies that SEGs, spam filters, and training alone can’t.
By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to detect a wide range of impersonations, spanning more obvious, payload-based attacks to difficult-to-spot social-engineered ones like CEO Fraud and Business Email Compromise.
Once detected, real-time warnings are triggered and explain exactly why the email was flagged, including specific information from the email. Best of all? These warnings are written in plain, easy-to-understand language.
This is an example of a warning message triggered by Tessian Defender
These in-the-moment warnings reinforce training and policies and help employees improve their security reflexes over time. To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today.
Not ready for a demo? Sign-up for our weekly blog digest to get more cybersecurity content, straight to your inbox. Just fill out the form below.