There has been much heated debate recently at security conferences like RSA and by Bruce Schneier on his security blog around the effectiveness of security awareness training and its measurable benefits to an organization. I recently had the privilege of discussing with top chief security officers (CSOs) and security leaders how security awareness training and the use of simulated phishing attacks can help companies educate employees how to avoid growing cybersecurity threats.
Phishing, and the more targeted and sophisticated spear-phishing, is the weapon of choice for the modern cybercriminal. It is used by the common criminal for identity theft, and the more organized hacker for data and intellectual property theft. There is no foolproof technological defense; and contemporary thought focuses now on training the user to recognize and resist targeted social engineering.
The Sophos 'Security Threat Report 2013' shows that 85% of the information security professionals surveyed support the use of simulated phishing attacks for training employees. The report notes that the key is 'being in the moment'. Being in the moment makes learning very timely and more relevant. As we all know, acknowledging a mistake is a powerful motivator for action.
If done carefully, simulated attacks have two major benefits. First, it can shock complacent staff into realizing how vulnerable to social engineering they really are, and through that keep them on their toes and improve overall security. Second, it opens a valuable communications channel between users and security staff. As one senior security director from a major entertainment company said: "It helps people understand that they can report phishing and other malicious attacks to their IT department." He added, "A side benefit is that it creates a conversation between IT security folks and employees – common ground."
The biggest concern these security leaders brought up about simulated attacks was the ethics of tricking users for training purposes. This debate was addressed in many ways by these esteemed security leaders.
The group pointed out that it doesn't mean the security department should just start attacking the company staff to see how vulnerable they are. The program needs to be framed correctly.
This highlights the biggest difficulty in formulating a simulated attack training strategy. The general feeling is that you cannot forewarn staff of a simulation because it would defeat the purpose of conducting one; but at the same time, it should not be done in a vacuum.
There are two potential problems. First, as noted by a security manager from a leading electronics manufacturer, staff can "tend to think they are being spied on or not trusted". This could lead to an unhappy workforce; and an unhappy workforce is not a productive one.
Second, said another CSO, "it's possible that an individual might feel singled out for the wrong reasons". This can backfire on the company if that person subsequently uses the issue as an 'example' of victimization. "But this is where communication can help resolve those issues."
Here's where an important point must be raised that was agreed upon by all the security leaders I talked with. When an individual is first hired, he or she will need to be educated on how phishing will be used during their employment. Employees will thus know they will be 'phished', but they won't know when – and that in itself will keep staff on their toes.
That's prior warning; but post-event explanation is also important. "Employees need to understand that the purpose of the training is to strengthen the company's security posture", said one security evangelist. "A landing page with further explanation may be one way of doing that."
The bottom line is security professionals must communicate with staff that this is a joint effort between the employee and security department. You need to set the right expectation that you are trying to help the company, not frame individuals. The smarter everyone is, the more secure the company will be. And the more secure the company, the more secure the job.
Although using simulated attacks as part of user awareness training is a relatively new approach and slightly contentious, it's proving to be very effective. Data from Wombat Security's customers are showing this. Almost 35% of employees at a Fortune 50 company fell for one simulated phishing attack, but after completing anti-phishing focused interactive training modules, less than 6% fell for a second simulated attack – which demonstrates an 84% decrease in susceptibility.
Let's be realistic. Cybercriminals are not slowing down and they won't quit phishing employees – it's proven to be a highly effective tactic.
If simulated attacks are done openly and for the benefit of the company rather than the detriment of the staff, it can be a very engaging process rather than something to be feared. The overall benefits of higher awareness and improved retention by staff, together with the introduction of meaningful metrics into training, makes simulated attacks one of the most cost-effective forms of awareness training available.
It's time to make a cybercriminal's job a little harder, with users as defenders against attack.