Concerning, isn’t it? No matter how much security budgets rise, the number of reported breaches only goes up. Back in 2004, the global market for cyber security was worth approximately $3.5 billion. By the end of 2017, it’s expected to reach over $120 billion. That’s an increase of 3,329 percent. But during the same period, reported data breaches have gone through the roof. In 2016 alone reported breaches rose by 40 percent, and there are no signs that this meteoric rise is going to stop anytime soon.
So what’s going on? Some of the best minds in the world are constantly looking for ways to mitigate cyber risk, so how come things only seem to be getting worse?
The Human Problem
If you’re a regular reader of security blogs, you’ll already have been exposed to the prevailing wisdom of the times: People are a security hole, and must be protected at all costs. And how do organizations respond to this? They invest tens or even hundreds of thousands of dollars in the latest technical security controls, doing everything in their power to ensure employees are never exposed to malicious or dangerous content.
Meanwhile, basic precautions such as security awareness training are routinely shunned and underfunded. After all, while some form of SAT is required by every major compliance framework, nobody wants to “waste” their precious security budget on something that doesn’t work. Even industry legends have often claimed that security awareness training is a “waste of resources” of technology finances that could be better utilized on technical controls.
But here’s the problem. No matter how hard you try (or how much you spend) you simply cannot totally protect your employees from malicious content. How do I know that? Simple: In over 90 percent of reported breaches, the attackers utilized phishing or another social engineering tactic at some stage, usually to gain an initial foothold within their target network.
And how does phishing work? It targets people. Now, of course, technical controls do play a part. The combination of a powerful spam filter and content scanner can catch as much as 98 percent of incoming phishing emails, which has a huge impact on your organization’s overall cyber risk profile.
But that remaining two percent that make it through pose a huge issue. After all, it only takes one unsuspecting employee to grant an attacker unrestricted access to your network. So where does that leave us?
An Alternative To Awareness Training
As we’ve already eluded, most security awareness training is poor. It’s boring, irrelevant, and really only exists to satisfy compliance frameworks. But here’s the thing. SAT isn’t bad because it’s underfunded. It’s bad because increasing security awareness is a terrible goal.
Does giving employees more information about security result in them making better security decisions? Of course it doesn’t. Just like giving the public more information about nutrition doesn’t reduce the obesity rate. No, if you want to reduce cyber risk at your organization, you’ll need to focus on a far more valuable goal: Improving security behaviors.
And how do you do that? By confronting the single biggest security threat around: Phishing.
Here Phishy Phishy
Email is ubiquitous in the modern workplace. The average business email account receives hundreds of messages per day, and people all over the world have learned to process incoming email in the quickest, most efficient way possible.
How then can you confront a threat that finds its way into your users’ inboxes? Most people, after all, treat all incoming messages equally, without stopping to think they might be malicious. The answer is simple, if counter intuitive. Instead of dragging employees into security awareness briefings, bring the anti-phishing initiative to them.
How? By routinely constructing simulated phishing emails, and sending them to your own employees. Yes, you read that correctly. What better way to train users to identify phishing emails than to create your own, send them out each month, and track their responses?
Rules for Success
Now of course, if you want to see real, long-term results, there are a few important considerations to keep in mind. For one, this isn’t the type of program you can jump straight into without a backward glance.
But I can assure you (from first-hand experience) that if you apply this type of program with care and consistency, you will dramatically reduce your organizations level of cyber risk.
1) Executive-buy in is essential
Naturally, with any new initiative, gaining buy-in from above is essential. But this isn’t the type of program that will solve all your problems overnight, and it’s also not a one-shot solution. No, this type of anti-phishing program is something that must be applied consistently over a long period of time.
Now, of course, you’ll start to see improvements very quickly, and that’s great. But to see real, long-term success (and keep it) you’ll need to persevere. And as you’ve no doubt gathered, that means you’ll need to retain funding for the program year after year. To ensure this happens, you’ll need to develop a strong business case, routinely track the program’s ROI, and provide clear performance reports.
2) Make success as easy as possible
When confronted with a suspected phishing email, what do you want your users to do? Delete it? Certainly, that would be better than following its instructions, but it’s not the best possible result. No, what you really want is for your users to report suspected phishing emails, so that you can:
- Quarantine similar emails
- Add rules to your technical email controls to block similar emails in future
- Build up a pool of real-world source material to inform creation of future simulations
And for that to be possible, you’ll need to make the reporting process as easy as possible. To that end, I strongly recommend adding a simple “report phishing email” button directly to your users’ email client.
3) Train directly at the point of failure
When you launch this type of anti-phishing training program, you’ll quickly notice two things about your users. First, they improve very quickly, but second, they fail a lot to start with. But here’s the thing: Failure isn’t a bad thing.
Any time your users correctly identify a simulation, they haven’t really learned anything… they’ve just shown you what they can do. But when they fail… That’s an opportunity to teach them something.
Each time one of your users fails a simulation they should immediately be directed to a multimedia training page, which will provide them with information about the specific type of phishing email they have just seen. Then, a week or so later, you should send a follow-up simulation of the same type, giving the user an opportunity to put their new skills to the test.
In my experience, this approach is tremendously effective at changing security behaviors, as it provides training at precisely the right moment, and only for those users who actually need it.
Keep On Keeping On
At this point, it’s important that you understand something about the type of program I’ve described here. It’s not an overnight solution, and it’s not something you can do once and then shelve if you want to see real results.
No, while you will certainly see great results within just a few months, this type of approach really must be applied consistently over the long term. If you suddenly decide to shelve the program a year down the line, you’ll soon find that your users are back to their bad habits despite having the best encrypted email solutions.
At the start of this article, I explained that tech isn’t enough to secure your organization over the long term. But here’s the thing: Neither is training. After all, people make mistakes. They aren’t machines, and they can’t be expected to behave like one. That’s why, as much as technology is far from perfect, it’s also completely necessary to the security of your organization.
I would never claim that the program like one I’ve described here could replace the need for sensible security controls. No, powerful cyber security isn’t about one or the other, it’s about both technology and a highly trained workforce. So if you’re serious about securing your organizations against cyber attacks, you’ll keep that fact right at the front of your mind.
Image from https://www.arl.army.mil/www/default.cfm?article=2670