Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Phishing Training is a Tool, Not a Solution

If You Find Yourself Frequently Blaming Users for Successful Attacks, You Know Your Security is Not Working

If You Find Yourself Frequently Blaming Users for Successful Attacks, You Know Your Security is Not Working

Training users to recognize phishing is a best practice, an important “tool in the toolbox” as an IT manager once told me, and definitely something I agree with among a list of steps to improve one’s security posture. But I’ve heard anecdotes recently about IT managers prioritizing training above investing in better automated security, and have begun to wonder if training firms and many security providers who now offer it have been a bit too successful in their marketing, effectively convincing many that the job of protection should be shifted to the end user. 

A lot of phishing training is going on. A recent study by Osterman Research asked organizations a series of questions about phishing and user training, among other issues, and ascertained that 93% of organizations give their employees some kind of phishing awareness training. Of course, doing this “right” is not in everyone’s budget, or runs quickly into a limit of tolerance on the time to be taken from the schedules of busy employees. 

Can you (really) spot the fake?

Such training, everyone agrees, is good. Everybody knows that security is about layers, and having alert users is another layer. But anybody signing up for sessions for their company should understand it in that context—it’s another tool, not a solution. I was struck in the Osterman survey report by the fact that over half of IT and security managers rate their users “highly” or “extremely” capable of recognizing mass phishing and spear phishing emails (59% and 54%, respectively). What’s generating such confidence among this group? Personally, I’m not as sanguine. I see examples of phishing emails and spoofed web sites all the time, and while many fall to the quality level associated with Nigerian scams, I’m frequently struck by the subtlety of the approach, the high quality of the imitations, and the deceptive tactics employed. In considering the ability to spot the phish by a general employee population working away in the frenzy of their email-inundated lives, such a level of optimism contradicts my own anecdotal sense of things. A CIO at a large company told me recently that he feels that 40 percent of his users will “click on anything,” which seems realistic to me, and, if true, still means 60 percent of users are bringing some utility to the task of identifying phishing emails. It’s an attitude that makes room for the benefit of training in contributing to stopping some phishes, without over-relying on it.

I have to point out that, even when an alert user does their duty, the phish may still happen, because we’ve already entered the realm of possible human error. One case in point is the phish of campaign advisor John Podesta’s Gmail account during the (Hillary) Clinton campaign. Podesta thought the password reset email he received odd, so his assistant forwarded it to a security analyst working with the campaign, which led to arguably the most famous typo in IT security history—the consultant accidentally wrote “legitimate,” when he knew the email was a phish, and had intended to write “illegitimate.”

Blame the victims?

It’s a truism of security that users are the Achilles heel or “weak link” in any system of defenses. I recognize the wisdom in this, although sometimes it sounds to me a bit like blaming airline passengers for their plane going down. It seems at any security event today, there is a lot of touting of user training by user-education and, more recently, large security companies, pushing messaging along the lines of “protection starts with people”. Is this really the user’s responsibility? We don’t expect them to delete their own spam or to really know what attachments to click on. Are we in the process of giving up on technology’s ability to block phishing? 

Security is the weakest link – not the user

My view is that if you find yourself frequently blaming users for successful attacks, you know your security is not working. I agree that we should be thinking about how users work, what they do and how it affects the security posture of the business, but does security really start with them? If you start from the premise that IT should be an enabler for employees to be more productive, then it follows that security should protect them automatically. True, no system is infallible, and I’ve already acknowledged the importance of layered security, but my advice is do not let your email security vendor get away with delivering phishing emails to your users—they should just block them. Do not let your web security provider get away with allowing users to connect to phishing sites—they should just block the connections. It’s time to swing the pendulum back, and put the responsibility to do battle with phishing campaigns back where it most correctly belongs—on the security systems.

Written By

Click to comment

Expert Insights

Related Content


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Cybersecurity Funding

UK-based email security and brand protection solutions provider Red Sift on Thursday announced raising $54 million in a Series B funding round that brings...