wombatsecurity | April 09, 2013

Leading CSOs and Security Leaders Debate Simulated Phishing Attacks in New Report from Wombat Security Technologies

Group of Security Experts across Multiple Industries Discuss Practical Ways to Leverage Simulated Attacks to Improve Security Awareness Training

Pittsburgh, PA – April 9, 2013 –  Wombat Security Technologies (Wombat), a leading provider of cyber security awareness and training solutions, today released a new report from leading Chief Security Officers (CSOs) and security experts that discusses how simulated phishing attacks can be an effective security awareness and training tactic to help companies educate employees how to avoid growing cyber security threats.  This report gathers and analyzes the front line observations of security leaders from the major vertical sectors – such as finance, manufacturing, health, and entertainment – who have used a relatively new approach to user awareness: simulated attack training.  The report discusses how practicing CSOs from Fortune 500 companies maximize the strengths and avoid the pitfalls in what can be a controversial, but is a very effective, method of training users to avoid being phished: learning by experience.

“Phishing, and the more targeted and sophisticated spear-phishing, is the weapon of choice for the modern cyber-criminal and is used by the more organized hacker for data and intellectual property theft,” said Perry Carpenter, former security awareness analyst from Gartner who is now working as a security expert in the financial sector. “While there is no foolproof technological defense, contemporary thought now focuses on training the user to recognize and resist targeted social engineering.”

The purpose of the CSO discussion was to exchange the ideas and experience of senior security leaders on the implementation and use of simulated attack training within a continuous training methodology. More than anything else, the report shows how simulated attack training can introduce measurement into training – not only is it effective, its effectiveness can be measured and monitored to allow the most cost-efficient training for the highest risk people and topics.

The report concludes with a checklist on how to implement and manage simulated attack training as part of a continuous training methodology, including:

  • Get internal buy-in from execs across departments. Involve the executive team early through phishing attacks or third-party advice (analyst firms or industry contacts)
  • Assess the existing level of user awareness prior to starting a new simulated attack methodology
  • Use the upfront assessment data, combined with new data from the simulated attacks, to prioritize future training
  • Provide training that utilizes learning science principles to lengthen retention by the ‘students’
  • Review the data returned from simulated attacks and training in order to determine the next round of training and assessments that should be scheduled
  • Ensure that any awareness training program is a continuous process: heightened user awareness loses value if you don’t reinforce learned concepts over time

”There is strong evidence that continuous security awareness training that includes simulated attack training works to significantly reduce risk,” said Joe Ferrara, President and CEO of Wombat Security Technologies.  “As it shows in the report we have seen susceptibility reductions of over 80% when comparing an initial mock attack to subsequent attacks when in-depth training is completed in between the attacks.”

To request a copy of Wombat’s report titled “A Security Officer Debate: Are Simulated Attacks an Effective Approach to Security Awareness and Training?” please visit /phishing_attack_report.

About Wombat Security Technologies

Wombat Security Technologies helps organizations combat cyber security threats with uniquely effective software-based training solutions for employees. Wombat offers fully automated, highly scalable software-based training solutions, built on learning science principles. They offer mock attacks with brief embedded training, as well as a full complement of 10-minute software training modules. Wombat’s training solutions have been shown to reduce employee susceptibility to attack over 80%. Wombat is helping Fortune 1000 customers, large government agencies and small to medium businesses in segments such as finance, banking, higher education, retail, technology, energy, insurance, and consumer packaged goods strengthen their cyber security defenses.  For more information visit www.wombatsecurity.com or contact Lorraine Kauffman-Hall at 704-882-0443 or lhall@attainmarketing.com.