Connect with us

Hi, what are you looking for?


Email Security

Security Awareness Training: Poor in UK, Better in US

AXELOS, a UK firm with strong ties to the UK government Cabinet Office, yesterday published a stinging criticism on business security awareness training in the UK.

AXELOS, a UK firm with strong ties to the UK government Cabinet Office, yesterday published a stinging criticism on business security awareness training in the UK. “The one-dimensional and outdated cyber security awareness learning provided by most UK organizations is not ‘fit for purpose’ and is limiting employees’ ability to understand what good cyber behaviors look like,” it reported.

This is all the more surprising since management is aware of the real threat level, and the importance of training: “Despite the almost universal belief (99%) among senior managers that information security awareness training is important to minimizing cyber security breaches, less than half that number (47%) are tailoring the learning to the jobs their people do.”

Only 31% use perhaps the most effective and relatively inexpensive training currently available: simulated phishing. Phishing, and especially spear-phishing, has been the start point of nearly all major breaches over the last few years. A Wombat/Ponemon study last year calculated the average cost of a successful phishing attack to be more than $3.75 million.

Compare the 31% UK take-up to the 70% of companies that use of simulated phishing according to the US company Wombat’s report published earlier this year.

It seems that many companies prefer to rely on technology for their defense, without necessarily understanding the problem. According to Wombat’s figures, 99% of companies (not just UK) employ spam filters. Spam filters such as Spamhaus are excellent for catching spam, but are not very good at catching phishing. Spamhaus catches approximately 90% of malicious email; but needs to be bolstered by specific phishing lists such as those provided by Surbl. Together, Spamhaus and Surbl will catch 98% (figures supplied by SecurityZONES, a supplier of both Spamhaus and Surbl) of all incoming mail that contains a malicious link.

But that is still not enough, since a single successful phish could lead to a major breach. That is why simulated phish training is so important. It trains staff, it highlights staff who may need additional training, and it provides automatic ‘training points’ for staff who fail the test.

Simulated phishing can be developed entirely in-house, or could be a function of external pentesting. Guillaume Valet, a pentester with French firm iTrust explains the latter: “They [clients] provide us with their employee email database and we create templates of supposedly ‘infected’ emails. The catch here is that once an employee clicks on the link or attachment included in the suspicious email, he or she stumbles upon an educational platform, explaining the damage that could have occurred if it was a real hacker.”

Advertisement. Scroll to continue reading.

Two leading simulated phishing training companies are Wombat Security and PhishMe. Rohyt Belani – CEO and co-founder of PhishMe, believes that most current training is simply boring and skimped by bored employees. What people need is the sort of immersive training that comes from coping with simulated phish attacks.

“With a behavioral conditioning program,” he explains, “organizations can check staff’s awareness by simulating attacks, congratulating success and provide follow-up materials for those found vulnerable. This reinforcement, provided at the point of susceptibility, will be far more memorable than a click-through training session or booklet received out of context. Conditioning employees to act as human sensors will greatly reduce the organization’s attack surface.”

Wombat told SecurityWeek in an email conversation, “We believe that for security awareness training to be effective, security teams need to continuously assess employee vulnerability to attack and knowledge of risky behaviors, educate employees with engaging content, and reinforce the correct behaviors by encouraging cyber-attack reporting or providing articles and posters. All throughout the cycle they should be measuring changes in behavior so that they can mark improvement, and adjust education to target the problem areas.”

That last point is the icing on the cake for simulated phish training – its success is measurable over time. It is one of the few training methods that can actually provide accurate metrics to the Board.

Related: Phishing Attacks Hit the C-Suite With High Value Scams

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.