According to cyber threat researchers, phishing incidents are on the rise and will not wane due to their effectiveness as the first step to injecting malware into a target’s network. A recent report shows that phishing was the most popular attack vector in 2021, resulting in one in five employees falling victim to phishing hacking techniques. Although technical solutions protect against phishing threats, no solution is 100% effective. This is the reason why; companies should involve their employees of all levels in defending against hackers. Security awareness training gives companies the confidence that their employees will respond correctly when they discover a phishing message in their inbox.
The pundit's quote, "knowledge is power," but the effectiveness of knowledge depends heavily on how it is delivered. In the case of phishing attacks, simulations are among the most effective forms of training because the events in training simulations directly mimic how an employee would react in the event of an actual attack. Since employees do not know whether a suspicious email in their inbox is a simulation or a real threat, this training becomes even more valuable.
According to cyber professionals, it is critical to plan, implement and evaluate a cyber awareness training program to ensure it truly changes employee behavior. But, for this effort to be successful, it should involve much more than just emailing employees. Key practices to consider include:
- Real-life phishing simulations.
- Adaptive learning - live response and protection from actual cyberattacks.
- Personalized training based on department, tenure, and cyber experience level.
- Empowering and equipping employees with an always-on cybersecurity mindset.
- Data-driven campaigns
Since most employees do not recognize the difference between phishing simulations and real cyberattacks, it is important to remember that they evoke different emotions and reactions, so awareness training should be conducted thoughtfully. Organizations need to engage their employees to combat the ever-increasing attacks and protect their assets, it is important to keep morale high and create a positive culture of cyber hygiene.
The following are three common areas where phishing simulations may not be effective.
Testing instead of educating: The approach of running a phishing simulation as a test to catch and punish "repeat offenders" can do more harm than good. An educational experience that involves stress is counterproductive and even traumatic. As a result, employees will not go through the training but look for ways to circumvent the system. Overall, the fear-based "audit approach" is not beneficial to the organization in the long run because it cannot provide the necessary training over an extended period.
Because maintaining positive employee morale is critical to the organization's well-being, provide positive just-in-time training. Just-in-time training means that once employees have clicked on a link within the simulated attack, they are directed to a concise training session. The idea is to quickly educate the employee on their mistake and give them essential tips on spotting malicious emails in the future.
Communicate with relevant stakeholders to ensure they are aware of ongoing phishing simulation training. Many organizations forget to inform relevant stakeholders, such as HR or other employees, that the simulations are being conducted. Learning has the best effect when participants have the opportunity to feel supported, make mistakes, and correct them.
Using the same simulation for all employees: It is important to vary the simulations. Sending the same simulation to all levels/skills employees, especially at the same time, is ineffective and has no valid metrics regarding organizational risk. The "warning effect" the first employee to discover or fall for the simulation warns the others. This prepares your employees to respond to the "threat" by anticipating the simulation, thus bypassing the simulation and the training opportunity. Do not underestimate the power of the “Office telegraph system.”
Another negative impact is social desirability bias, which causes employees to over-report incidents to IT without being viewed more favorably. This leads to an overloaded system and the department IT. This form of simulation also leads to inaccurate results, such as unrealistically low click-through and over-reporting rates. Then the metrics do not show the real risks of the company or the problems that need to be addressed.
Use an application that allows for sending multiple simulations to different employees at different times. Certain software solutions can do this automatically by sending a variety of simulations to different groups of employees. It is important to implement a continuous cycle to ensure that all new employees are properly on-boarded and to reinforce that security is important 24/7 - not just checking a box for minimum compliance.
Relying on data from a single campaign: With over 3.4 billion phishing attacks daily, it is safe to assume that at least a million differ in complexity, language, approach, or tactics. Unfortunately, no single phishing simulation can accurately reflect an organization's risk. Relying on a single phishing simulation result is unlikely to provide reliable results or comprehensive training. Another important consideration is that different groups of employees respond differently to threats, not only because of their vigilance, training, position, tenure, or even education level but because the response to phishing attacks is also contextual.
Behavior change is an evolutionary process and should therefore be measured over time. Each training session contributes to the progress of the training. Training effectiveness, or in other words, an accurate reflection of actual organizational behavior change, can be determined after multiple training sessions and over time. The most effective solution is to continuously conduct various training programs (at least once a month) with multiple simulations.
It is highly recommended to train employees according to their risk level. A diverse and comprehensive simulation program provides reliable measurement data based on systematic behavior over time. To validate their efforts at effective training, organizations should obtain a valid indication of their risk at any given time while monitoring progress in risk reduction.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings