Why is user awareness training important for IT security?
Phishing operations represent 41% of cyber breach incidents according to the IBM X-Force report. Deloitte estimates phishing to be the initial attack vector in 91% of cyber breaches. These estimates put phishing at the forefront of corporate attack surface because they identify phishing as the most successful method used by attackers to compromise a system and gain initial access to a victim’s network. In response, organizations need to increase their resilience against phishing and other types of social engineering attacks. By testing their staff’s ability to effectively identify phishing attempts and malspam and providing educational material, an organization can identify potential weaknesses and reduce the chance that an employee will fall prey to an attack. Of course, secondary cybersecurity measures should be in place to detect and respond to a successful phishing attack, user awareness training is a good practice that can greatly reduce the probability of suffering an attack.
What does the phishing landscape look like?
IBM X-Force analyzed the use of phishing kits and identified the top brands used as Microsoft, Apple and Google. However, the true breadth of the phishing landscape goes far beyond these few “most spoofed” brands. Hackers are continuously developing new strategies to directly target particular industries and regions with relevant business and politically motivated phishing campaigns seeking to capitalize on naivety, popular trends, trust, fear, authority, urgency, and other emotions that motivate a victim into clicking on a link, opening a document, or directly providing their credentials.
The click rate for the average targeted phishing campaign was 17.8%, but targeted phishing campaigns that added phone calls (vishing or voice phishing) were three times more effective, netting a click from 53.2% of victims. Also, the most common access vector for ransomware attacks continues to be phishing. Considering potential costs that even a single breach can impose on an organization, it is critical that such an openly exploited security gap such as phishing be closed.
How does user awareness training work?
An organization’s management team needs visibility into which employees are susceptible to phishing attacks. User awareness training (cyber awareness training) serves as a form of testing and knowledge verification and provides supplemental training and educational content to employees. It typically works by whitelisting a third-party IT security service provider in an organization’s email spam filter to ensure that the phishing simulation emails can reach their intended targets. Simulated phishing emails contain file attachments and include links to online resources that are designed to entice the targeted employees and track and alert when they have been clicked on.
Some user awareness training platforms provide immediate feedback to employees after they click on a potentially malicious link and also get them to view a short training video to give them some perspective into what they missed and how they can identify similar types of phishing attacks in the future. The phishing simulation’s results are collected in an administration dashboard for managers to monitor and track the performance of each employee, add and remove employee’s email addresses as targets, and adjust other configuration settings.
Who are the best user awareness training providers?
Gartner provides a good list of user awareness products offered by industry leading IT security companies. This is a good place to start looking for a quality user awareness solution. It’s also worthwhile to check if a vendor of your organization’s security software products provides any user-awareness training services as you may be able to get a discount as part of a bundle.
It is important to verify the security posture of any company you are considering as a partner / vendor. This should include reviewing any privacy policies, data-retention policies, and any available reports about the vendor’s compliance attestations. In general it is better to work with a company that provides documentation about their internal security policies and has achieved a formal compliance accreditation such as ISO-27001 or SOC-2. This is because as a vendor, they will be storing very sensitive information about your organization. In this case, the data they collect could be used to identify email addresses that represent a security weakness and could potentially be targeted to gain initial access to your network.
Are their any security concerns with user awareness training?
Yes. There are clear security risks with implementing a user awareness training. The biggest concern is that they data collected represents potential weaknesses in your organization’s security posture. This means that if the user-awareness vendor does not control or restrict access to the data they collect properly, it could be stolen and used against the client.
Another potential security failure when deploying a user awareness program is that you also potentially tip off disgruntled insiders that clicking on a phishing email attachment or link could do harm to the company. For this reason, an defence in depth approach is advised.
What are some best practices for implementing a user awareness program?
A well implemented user awareness program will have a more positive impact and be more efficient than an ad-hoc approach. Let’s consider some general best practices that can help improve a user awareness program:
- Do not reprimand or lightly punish employees for falling for a simulated phishing attack. Instead it’s better to reward positive performance. How about free Starbucks coffee once a month solid performers?
- Check the security posture of any third party vendors and service providers that you plan to work with. These service providers also represent a supply chain security risk of their own and so you need to ensure you are partnering with reliable and responsible partners.
- Involve department managers and C-level executives. This is critical because it ensure that the most important information is shared with decision makers within the organization.
- Don’t deploy regularly scheduled phishing campaigns. For example, don’t have every Friday be “Phishing day” or only test users for a few days a month. It’s better to randomly and sporadically test users so they cannot predict when phishing simulations may be in play.
- Use a diverse set of phishing content. Don’t sent the same template to each user.
- Share the results of your training program with stakeholders and partners. It s a positive upside that your company is doing more to protect itself from cyber attacks. This is a responsible and proactive activity that makes your organization look good. It can be included in your reports to partners, stakeholders, and customers to let them know their data is safer.
- Have reporting and incident response program in place for employees to report phishing attacks that they identify. This is valuable information for an IT security team to parse the attacks to identify their scope. Analyzing phishing attacks that reach an employee also give an opportunity to warn other employees and understand what social engineering tactics are being used.