AXELOS, a UK firm with strong ties to the UK government Cabinet Office, yesterday published a stinging criticism on business security awareness training in the UK. “The one-dimensional and outdated cyber security awareness learning provided by most UK organizations is not ‘fit for purpose’ and is limiting employees’ ability to understand what good cyber behaviors look like,” it reported.
This is all the more surprising since management is aware of the real threat level, and the importance of training: “Despite the almost universal belief (99%) among senior managers that information security awareness training is important to minimizing cyber security breaches, less than half that number (47%) are tailoring the learning to the jobs their people do.”
Only 31% use perhaps the most effective and relatively inexpensive training currently available: simulated phishing. Phishing, and especially spear-phishing, has been the start point of nearly all major breaches over the last few years. A Wombat/Ponemon study last year calculated the average cost of a successful phishing attack to be more than $3.75 million.
Compare the 31% UK take-up to the 70% of companies that use of simulated phishing according to the US company Wombat’s report published earlier this year.
It seems that many companies prefer to rely on technology for their defense, without necessarily understanding the problem. According to Wombat’s figures, 99% of companies (not just UK) employ spam filters. Spam filters such as Spamhaus are excellent for catching spam, but are not very good at catching phishing. Spamhaus catches approximately 90% of malicious email; but needs to be bolstered by specific phishing lists such as those provided by Surbl. Together, Spamhaus and Surbl will catch 98% (figures supplied by SecurityZONES, a supplier of both Spamhaus and Surbl) of all incoming mail that contains a malicious link.
But that is still not enough, since a single successful phish could lead to a major breach. That is why simulated phish training is so important. It trains staff, it highlights staff who may need additional training, and it provides automatic ‘training points’ for staff who fail the test.
Simulated phishing can be developed entirely in-house, or could be a function of external pentesting. Guillaume Valet, a pentester with French firm iTrust explains the latter: “They [clients] provide us with their employee email database and we create templates of supposedly ‘infected’ emails. The catch here is that once an employee clicks on the link or attachment included in the suspicious email, he or she stumbles upon an educational platform, explaining the damage that could have occurred if it was a real hacker.”
Two leading simulated phishing training companies are Wombat Security and PhishMe. Rohyt Belani – CEO and co-founder of PhishMe, believes that most current training is simply boring and skimped by bored employees. What people need is the sort of immersive training that comes from coping with simulated phish attacks.
“With a behavioral conditioning program,” he explains, “organizations can check staff’s awareness by simulating attacks, congratulating success and provide follow-up materials for those found vulnerable. This reinforcement, provided at the point of susceptibility, will be far more memorable than a click-through training session or booklet received out of context. Conditioning employees to act as human sensors will greatly reduce the organization’s attack surface.”
Wombat told SecurityWeek in an email conversation, “We believe that for security awareness training to be effective, security teams need to continuously assess employee vulnerability to attack and knowledge of risky behaviors, educate employees with engaging content, and reinforce the correct behaviors by encouraging cyber-attack reporting or providing articles and posters. All throughout the cycle they should be measuring changes in behavior so that they can mark improvement, and adjust education to target the problem areas.”
That last point is the icing on the cake for simulated phish training – its success is measurable over time. It is one of the few training methods that can actually provide accurate metrics to the Board.