You are already well aware of the security risks to your organization from social engineering, spear phishing and ransomware attacks. This post will help you understand how some employee training practices fall short and how to implement cybersecurity awareness training best practices easily and affordably.
Employees are the weak link in an organization’s network security. They are frequently exposed to sophisticated phishing and ransomware attacks. In fact, 91% of successful data breaches started with a spear phishing attack. Employees need to be trained and remain on their toes with security top of mind.
We partner with KnowBe4 to provide associations with the tools to manage urgent IT security problems and phishing emails. KnowBe4 is the world’s largest Security Awareness Training and Simulated Phishing platform with over tens of thousands of customers. We work with associations to build programs to train employees on how not to fall victim to the latest social engineering methods.
Let’s take a look at why certain well-intentioned methods fall short and look at the best practices to reduce the risk to your association.
These worst practices are the reason why some IT managers struggle to obtain budget approval for more effective security training measures as they struggle to win the fight against phishing.
Only about one in five organizations admit to this as their “strategy” against the rise of phishing. But the actual number is probably much higher. The logic goes, “We haven’t had a company-threatening data breach to date, and we can live with these minor outbreaks which keep IT busy. So let’s hope ‘the big one’ doesn’t happen to us.” Aberdeen Group put a hefty price tag on reliance on this strategy. The analyst firm said that there is an 80% likelihood that infections from users will result in total costs of more than $2.5 million per year.
About 30% of organizations favor the break room approach. They gather as many employees as they can in the break room, provide lunch and have someone from IT lecture on topics such as phishing, spear-phishing and whaling. This is certainly better than nothing, but often attendance is low and most of the audience looks upon the event as a time to make some headway on their email backlog. And the results speak for themselves. Measures of the effectiveness of phishing show little change after such briefings.
This can be done informally with videos made available via email or placed on the website for employees to view, or formally via mandatory classes. These short clips educate users on the perils of promiscuous clicking and on the many snares used by phishers to reel in unsuspecting employees. About one in four organizations gravitate towards this method. At best, this can be categorized as being little more than a superficial training program. On its own, it can’t be expected to do much to diminish the risk of data breach. It also causes training fragmentation because important topics are covered months too late.
This approach pre-selects high-risk employees only and sends them simulated phishing emails to see how many fall victim to the attack. This is typically paired with some kind of educational module such as links to training modules for offenders as well as short videos to view to increase awareness. The plus on this method is that it offers some kind of metric about phishing. The minus is that employees soon get wise to it and “prairie dogging” begins to happen – an employee sees a phishing test email and pops his or her head up above the cubicle to let the others know to watch out for it. This approach, then, is both limited and too simplistic.
Most security awareness programs are superficial at best. They may include some sensible actions, but they don’t dovetail into a coordinated and comprehensive program. What is missing is an appreciation of the adversary being faced and the degree of commitment an organization has to have to stave off attacks. It is vital that the C-suite comes to terms with the extent of the threat and the sheer weight of resources the enemy is bringing to bear against naive employees. Only by doing so is it possible for C-level executives to comprehend the measures that must be taken to secure the enterprise and the vital necessity of erecting a human firewall of informed and ever-vigilant users. The crux of this best practice is having an awareness of the scale of the problem and the resources necessary to defend against it.
Training on its own, typically once a year, isn’t enough. Simulated phishing of personnel on its own doesn’t work. But together, they can be combined to greatly increase effectiveness. An important best practice is to intelligently integrate these components into an overall campaign. This is best accomplished by finding a platform that integrates simulated phishing and security awareness training.
Security awareness training can be undermined due to difficulty in measuring its impact. How exactly are you supposed to prove that it obtains results? All it takes is one fresh outbreak and someone in authority can point to the event as evidence that such training dollars would be better spent elsewhere. This is where the baseline comes into play.
It is vital to establish a baseline on phishing click-through rates so you know the how many users open malicious emails prior to awareness training. This is easily accomplished. Send out a simulated phishing email to employees to find out the number that are tricked into opening an attachment, click on a link or enter sensitive information. This is your baseline phish-prone percentage. This metric can be later used to determine how effective the campaign is. Further, it provides specific numbers that can prove useful during the purchase order approval process.
To be effective, top executives and IT managers must be onboard. Thus extensive briefings before and during a training program is a must. Briefings are needed in advance to accomplish finance approval, but it should never end there. Prior to beginning a phishing simulation project, communicate to executives (such as HR and Legal) and iron out all political or sensitivity issues in advance. Otherwise, such campaigns may be unjustly accused of targeting specific employees, undermining morale or discriminating against certain groups. Only by keeping all interested parties involved, listening to their concerns and addressing their needs can the campaign hope to succeed. In some organizations, there may be pressure to inform employees that a simulated phishing campaign is about to be launched. In those cases, where staff are forewarned, the effectiveness of the campaign is significantly reduced.
Another aspect of this best practice is to inform executives about baseline phishing numbers so they are more aware of the extent of the problem and the uphill task facing the organization. Return to this baseline again and again as a means of monitoring results. Showcase all drops in phishing effectiveness as a way to demonstrate the value of the program.
Earlier, we mentioned prairie dogging where an employee notices a simulated phishing email and warns the others in the offce about it. This phenomenon can even bring about an apparent drop in phishing susceptibility in tests that doesn’t translate into the real world. Employees get used to the simulated actions of the campaign, learn to watch out for them every Monday morning and thereafter continue as normal. What you end up with is a simulated phishing initiative that has little or no impact on employee gullibility.
This is particularly important when you consider the findings from a study by Proofpoint. It found that no company had a zero-click rate from phishing attacks. While repeat clickers account for the majority of clicks on malicious links, 40% of clicks are typically one off clickers. In other words, even the best and the brightest can be caught unawares and will click on something malicious from time to time. Prairie dogging might allow these rare but occasional phishing victims to develop complacency.
The way to guard against this is to use what are termed random-random simulated phishing attacks. A comprehensive security awareness training practice entails the selection of random groups, random schedules, and random phishing templates to gain a more accurate estimate of an organization’s likelihood to fall victim to phishing. Instead of sending out the same phishing emails every Monday morning to accounting, every Tuesday at lunch to sales and every Friday evening to manufacturing, switch the tactics and schedules around by varying the groups and schedules randomly. This eliminates prairie dogging and provides the organization with a real metric they can use to determine effectiveness.
Personalized emails are more believable. In some cases, this can be as simple as adding the employee’s first name. But in large organizations, personalization must be taken further. For example, obtain from payroll the names of the banks used by employees for direct deposit and use that bank name in a phishing campaign. Another tactic is to split phishing email into groups such as by departments, or to tie phishing emails into topical or popular events.
The results from comprehensive security awareness training are excellent. But they fall short of the miraculous. By that, we mean phishing victimization rates generally fall from the 10-25% range to about 2%. It appears that getting below that point is extremely difficult. But continuation of the campaign can keep results at or below that level, which will have a significant impact on the organization. With malware infections caused by phishing minimized, IT finds itself able to contain remaining outbreaks more effectively as there are far less of them.
Due to the dramatic drop in infections, other security measures have a greater chance of success. IT finds itself moving from constant troubleshooting mode to being able to move forward with projects that provide greater strategic value to the organization.
A common concern about simulated phishing is that the results could be used in witch hunts. Therefore, don’t ever use results in this way or bring them up in annual reviews. It is best to keep results general and use them to correct and train the organization as a whole as opposed to singling out specific individuals.
The exception to this comes once the coordinated campaign of training and phishing simulation has brought about marked results. After a prolonged series of simulations and training steps, companies are likely to find the same small group of repeat offenders. Proofpoint noted that less than 10% of users are responsible for almost all clicks on any given wave of malicious attacks. While security awareness training can push that number down, there will remain a handful of individuals who continue to click despite being given every opportunity to reform.
By this point, they will have attended several training classes, and received a thorough education on how phishing can fool them. Yet they go on being fooled no matter what remedial steps are taken. Now is the time to involve HR to take up findings with repeat offenders who show no improvement despite several attempts at retraining. To take any possible negative connotation away from ‘flunking’ simulated phishing tests, it sometimes works to incentivize departments to encourage their staff to complete training or retraining in an effort to achieve a 0% click rate. Those doing so, or scoring below a particular level can be awarded with gift cards or other inducements. despite several attempts at retraining.
Even when testing confirms that phishing susceptibility has fallen to nominal levels, continue to test employees frequently to determine if anti-phishing training remains effective. The bad guys are always changing the rules, adjusting their tactics and upgrading their technologies. Therefore, training reinforcement must remain a part of the organizational security arsenal in order to keep pace with constantly evolving threats.
Old school security training favored a lecture or video approach. The problem with this type of training is that it can rapidly become outdated – the security landscape of one year ago is very different from that of today. It also focuses too much on theory and isn’t balanced by practical application.
Security awareness training is interactive, balances theory and application, is continually updated, and is based upon thorough insight of how cybercriminals operate. Ideally, it will incorporate the services of an expert hacker who knows all the ways of entering an organization and all the tricks of the phishing trade. It should make sure employees understand the mechanisms of spam, phishing, spear-phishing, malware, ransomware and social engineering, and are able to apply this knowledge in their day-to-day jobs.
Cimatri proudly partners with KnowBe4, the world’s most popular integrated security awareness training and simulated phishing platform. More than 1,700 organizations use KnowBe4’s platform to keep employees on their toes with security top of mind. KnowBe4 is used across all industries, including highly regulated fields such as finance, healthcare, energy, government and insurance. At Cimatri, we have experience successfully administering the program for associations. It is an easy to use, affordable product that every association needs. Contact us to see a demo.