CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Email Security

Security Awareness Training: Poor in UK, Better in US

AXELOS, a UK firm with strong ties to the UK government Cabinet Office, yesterday published a stinging criticism on business security awareness training in the UK.

AXELOS, a UK firm with strong ties to the UK government Cabinet Office, yesterday published a stinging criticism on business security awareness training in the UK. “The one-dimensional and outdated cyber security awareness learning provided by most UK organizations is not ‘fit for purpose’ and is limiting employees’ ability to understand what good cyber behaviors look like,” it reported.

This is all the more surprising since management is aware of the real threat level, and the importance of training: “Despite the almost universal belief (99%) among senior managers that information security awareness training is important to minimizing cyber security breaches, less than half that number (47%) are tailoring the learning to the jobs their people do.”

Only 31% use perhaps the most effective and relatively inexpensive training currently available: simulated phishing. Phishing, and especially spear-phishing, has been the start point of nearly all major breaches over the last few years. A Wombat/Ponemon study last year calculated the average cost of a successful phishing attack to be more than $3.75 million.

Compare the 31% UK take-up to the 70% of companies that use of simulated phishing according to the US company Wombat’s report published earlier this year.

It seems that many companies prefer to rely on technology for their defense, without necessarily understanding the problem. According to Wombat’s figures, 99% of companies (not just UK) employ spam filters. Spam filters such as Spamhaus are excellent for catching spam, but are not very good at catching phishing. Spamhaus catches approximately 90% of malicious email; but needs to be bolstered by specific phishing lists such as those provided by Surbl. Together, Spamhaus and Surbl will catch 98% (figures supplied by SecurityZONES, a supplier of both Spamhaus and Surbl) of all incoming mail that contains a malicious link.

But that is still not enough, since a single successful phish could lead to a major breach. That is why simulated phish training is so important. It trains staff, it highlights staff who may need additional training, and it provides automatic ‘training points’ for staff who fail the test.

Simulated phishing can be developed entirely in-house, or could be a function of external pentesting. Guillaume Valet, a pentester with French firm iTrust explains the latter: “They [clients] provide us with their employee email database and we create templates of supposedly ‘infected’ emails. The catch here is that once an employee clicks on the link or attachment included in the suspicious email, he or she stumbles upon an educational platform, explaining the damage that could have occurred if it was a real hacker.”

Two leading simulated phishing training companies are Wombat Security and PhishMe. Rohyt Belani – CEO and co-founder of PhishMe, believes that most current training is simply boring and skimped by bored employees. What people need is the sort of immersive training that comes from coping with simulated phish attacks.

Advertisement. Scroll to continue reading.

“With a behavioral conditioning program,” he explains, “organizations can check staff’s awareness by simulating attacks, congratulating success and provide follow-up materials for those found vulnerable. This reinforcement, provided at the point of susceptibility, will be far more memorable than a click-through training session or booklet received out of context. Conditioning employees to act as human sensors will greatly reduce the organization’s attack surface.”

Wombat told SecurityWeek in an email conversation, “We believe that for security awareness training to be effective, security teams need to continuously assess employee vulnerability to attack and knowledge of risky behaviors, educate employees with engaging content, and reinforce the correct behaviors by encouraging cyber-attack reporting or providing articles and posters. All throughout the cycle they should be measuring changes in behavior so that they can mark improvement, and adjust education to target the problem areas.”

That last point is the icing on the cake for simulated phish training – its success is measurable over time. It is one of the few training methods that can actually provide accurate metrics to the Board.

Related: Phishing Attacks Hit the C-Suite With High Value Scams

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.