Does security awareness training actually help? When it comes to phishing and spear-phishing attacks, many executives appear to think it does make a difference.
Many organizations, including EMC, the Department of Defense, and even defense contractor Northrup Grumman, have previously gone on the record that they run phishing simulations to improve end-users' abilities to recognize the signs of an attack. These simulations train users to identify and not click on, or respond to, targeted attacks. In fact, Northrup Grumman's latest training exercise involved sending fake phishing messages to 68,000 employees to track how many clicked on the link, deleted the email, or reported the threat to IT, Michael Papay, Northrop Grumman's chief information security officer said at the National Institute of Standards and Technology's day-long Cyber-Security Framework Workshop on April 3.
Northrop Grumman and EMC are clearly not alone, as several CSOs and security experts discussed how simulated phishing attacks could be an effective security awareness and training tactic in a new report from Wombat Security Technologies. The executives in the report represented several major vertical sectors, including finance, manufacturing, health, and entertainment.
There are several vocal critics, prominent voices in the security industry, who believe training users to recognize security threats won't help organizations solve the cyber-security problem. During the RSA Security Conference in February, Bruce Schneier dismissed security training for end-users while on a panel and said the reliance on training just glosses over the failings of the security industry to innovate and come up with actual solutions that would work. "I personally believe that training users in security is generally a waste of time and that the money can be spent better elsewhere," Schneier wrote on his Schneier on Security blog recently.
Even in organizations that focus on user training, only a small portion believe training had any "measurable impact," Invincea CEO Anup Ghosh told SecurityWeek in previous interviews. Users will always be the primary targets, but organizations need to "give up on the idea of training this problem away," Ghosh said.
Wombat's report suggests that many organizations are nevertheless exploring simulated attack training to help users make better security decisions to keep the organization safe.
Phishing and spear phishing is the "weapon of choice" for cyber-criminals and for sophisticated attackers interested in stealing data and intellectual property, Perry Carpenter, former security analyst from Gartner working as a security expert in the financial sector, said in a statement accompanying the report. As there is no "fool-proof technological defense," many organizations are focusing on training the user to recognize and resist targeted social engineering, Carpenter said.
Simulated attack training provides employees with immediate feedback and learning opportunities, according to the report. In one example, employees at a Fortune 50 organization received a "your package has been delivered" phishing email. Employees who fell for the attack and clicked on the link immediately received a just-in-time training message and were automatically enrolled to take additional training to recognize phishing.
Done right, this type of training shocks complacent staff into realizing how vulnerable they are to social engineering, and opens up a line of communication between end-users and security staff, the report said.
"Being in the moment makes learning very timely, it makes it more relevant," an IT security director said in the report.
The security executives in Wombat's report warned against just sending attack emails, saying there needed to be a specific training strategy so that the simulations are "framed correctly." Executives recommended telling employees that they would receive simulated messages, but not when that would happen. Users will thus know that they will be "phished, but they won't know when – and that in itself will keep staff on their toes, according to the report.
Simulated attack training offers organizations four main benefits. It increases specific awareness of the phishing and spear-phishing threat within the organization, as it helps "helps employees realize that they may not be as informed as they might think they are," an executive said in the report. It also improves general awareness of security as users become more receptive to other forms of training. The training exercise also highlights the fact that the weakest link in security is the user. It helps the organizations realize that investing a lot of money in intrusion detection doesn't really help, if a third-of-the workforce is clicking on easily-recognizable phishing emails, for example.
Finally, organizations gain actual metrics to understand whether the training has worked or not. "Generally speaking, the Security team only learns that training hasn't worked when it fails – and that's too late," the report said.
In the case of the Fortune 50 organization mentioned earlier, almost 35 percent of the recipients fell for the first simulated phishing attack and received immediate feedback explaining why it was not a legitimate message and were directed to additional training. During a follow-up simulation, less than 6 percent were tricked, demonstrating an 84 percent decrease in susceptibility, the report found.
"Simulated attacks allow you to track the effectiveness of your security training over time, without having to wait for an actual breach, and to target the areas or people that most need additional training," the report found.
For organizations interested in simulated attack training, Wombat's report (PDF) offers a few suggestions on how to develop the testing strategy; including getting internal buy-in from executives across the organization and planning a continuous program with regularly scheduled tests. Organizations should assess the existing level of user awareness prior to starting the simulation and use both assessment and testing results to prioritize future training sessions.
The security teams needs to provide relevant training materials to reinforce the lesson learned from the simulated attack, and to review the test results to determine when the next round of tests should occur, according to the report.
"You need to set the right expectation that you are trying to help the company, not frame individuals. The smarter everyone is the more secure the company will be," one executive said in the report.
The complete report is available here.