Spam filters, blacklists, firewalls, and other technical safeguards do not stop all phishing emails from getting to end users. That can’t be disputed. Organizations that want to give themselves the best shot at reducing successful attacks from the wild — and the malware and ransomware infections that come with them — must educate their employees to recognize, avoid, and report phishing emails.
According to Mr. Ferrara, “awareness and training are two sides of the same coin, but they are not one and the same. Being aware that phishing threats exist is not the same as knowing how to defend against social engineering attacks. Simulated phishing attacks, notification emails and alerts are absolutely valuable and useful — but on an awareness front. They aren’t a substitute for education, and they will not, on their own, drive the level of behavior change that training can.”
Ferrara recommends that anti-phishing education programs utilize awareness efforts coupled with in-depth education for best results. He also recommends that organizations seek opportunities to deliver interactive security training rather than relying on presentations or videos. “Most of the cyber threats we’re seeing in play now are ones that end users physically interact with. Phishing emails, social engineering calls, employee impersonations, risky applications…these are just some of risks that employees are encountering. Because the attackers are coming directly to end users, it’s critical that they learn the skills required to identify and avoid these attacks,” Ferrara said. “Being told what to do is far less effective than being shown what to do and getting hands-on practice that can then be applied in day-to-day situations.”