Cybercriminals are good at creating phishing and spear-phishing email scams, but they wouldn't get anywhere without someone opening their emails. Recent reports
have indicated that over 90% of security breaches are the result of human error, predominately resulting from phishing and spear-phishing attacks. Most organizations today provide some sort of security-awareness training for employees. But is it effective?
Security training needs to increase a staff’s security awareness – certainly; but more importantly, it needs to change employee behavior and help create a security-minded culture. So how do you know security training is changing behaviors?
The short answer is phishing testing!
Phish-prone Tests in the Enterprise
Security awareness testing shouldn’t just be about having employees answer multiple-choice questions at the end of a training module. Phishing testing is a friendly attack on your employees that mimics the tactics of the hacking community. The difference is that it’s a non-malicious, “safe” attack that measures the effectiveness of security training. Testing needs to evaluate changes in behaviors.
This sort of testing can evaluate an employee’s real-time awareness of spam, phishing, spear-phishing, malware, ransomware, and social engineering mechanisms aimed at tricking them into acting on malicious emails. Sending and tracking of simulated phishing and spear-phishing emails to employees regularly is generally accepted as a good real-time test, often referred to as phish-prone testing.
Some phish-prone testing systems can provide real-time feedback to employees when they click or report phishing emails. Clicking on a simulated phishing email can direct them to a video that will help them identify malicious emails in the future. When they report it, the systems provide positive feedback.
Testing is a valuable tool to develop metrics and to track trends over time to determine if behaviors are changing. Organizations also need to conduct testing in conjunction with routine training to educate staff on the latest techniques of which to be wary.
5 Steps for Creating Effective Tests
To be able to effectively track your organization’s path to a secure culture you need to take an iterative approach of testing and training. Steps on creating effective tests are:
- Complete baseline testing prior to training.
- Train your users on a regular basis and track training module completion.
- Phish test users with simulated phishing and spear-phishing attacks and track the click and open rates.
- Provide positive reinforcement for staff that complete training and recognize malicious emails.
- Monitor and report metrics to management on a regular interval.
Using this approach, phish-prone metrics (users that click) indicate that initial baseline testing has a 30% click rate, but after three months of training, this drops to 15%, and after one year, it drops to 2% of staff clicking on the simulated phishing emails, according to a “2019 Phishing By Industry Benchmarking
” report by KnowBe4.
Even the best-trained employees are human and can make mistakes by clicking on a well-crafted phishing email. The goal of testing is to track, adjust, and improve the training strategy. It also provides insights for management on the effectiveness of the investment in security training, that you can compare with other companies in your industry. Some organizations may feel the need to reprimand employees that click on simulated phishing emails. This has proven to be counterproductive.
Making Time for Training
Training modules are often low on the priority list, as employees are busy doing their jobs. The goal is to positively reinforce employees that do take the training. We’ve seen pizza lunches, gamification, and other perks work well to reward employees for participating in security training. Seeing these perks motivates their peers to put a higher priority on their own training.
Security training is never going to be something your employees sit down and binge-watch on a Saturday evening; however, it doesn’t have to be boring. There are many cost-effective sources of engaging and interesting training content, some that are almost like a Netflix video series with good acting and high-production quality. Engaging, well-produced training content will improve retention and make it easier for employees to put training higher on their priority list.
In conjunction with testing and training activities, it’s advantageous to strengthen your organization’s detection and response capabilities. Properly trained employees will be able to identify malicious emails and should have a simple way of reporting these emails to the security team. A button within the email application can simplify this reporting.
Staff also need to know that if they do make the mistake of clicking on a malicious email that they know how to respond. Typically, this would be to shut down their computer and report the event to the security team. The security team needs to have a response or treatment plan that deals with the event and gets the employee back to work as quickly as possible.
The overall goal is to change employee behaviors and develop a culture of security within the organization. Tracking the level of organizational vulnerability is an effective way to help make improvements and adjustments to training programs. Continuous iterative testing and training will improve "human" firewalls over time — reducing security risks and improving your IT security's defense
"SCTC Perspectives" is written by members of the Society of Communications Technology Consultants, an international organization of independent information and communications technology professionals serving clients in all business sectors and government worldwide.