In recent years, many good things have happened in the cybersecurity world. In particular, organizations in all industries and all parts of the world have come to realize that getting serious about cybersecurity is no longer optional.
Despite this, the number of serious breaches reported each year has not fallen. In fact, quite the opposite is true.
Why? I could give you dozens of answers.
I could talk about the constant evolution of malware and other attack vectors. I could write about the difficulties faced by law enforcement agencies when attempting to apprehend known criminal groups across international borders.
I could explain why, no matter how technically sound your network, you’ll never be prepared for the latest zero-day threats.
In reality, though, none of these adequately explain the real issue.
Why Common Wisdom Will Hurt Your Organization
Before we continue, it’s important to keep one thing firmly in mind: nearly all cyber-attacks are motivated by profit. Equally, if there is money to be made from attacking your organization, you can be sure someone will.
Common wisdom suggests that the best way to defend your organization against these attacks is to implement a series of technical controls designed to prevent unauthorized access, block malicious activity and identify incoming attacks.
But there’s a problem.
If you look closely at every reported breach in the past decade, you’ll notice something interesting. Almost every single one made use of phishing or another social engineering technique at some point during the attack.
Why? Because, on the whole, fooling people is much easier than fooling machines.
If an attacker can trick a human into compromising your network, it won’t matter how good your technical controls are. Once an attacker is inside your network using legitimate credentials, the hard part is already done.
Now, you might be thinking that there are plenty of technical controls designed to mitigate the impact of a malicious email. And that’s true, but no matter how good your spam filters and content scanners might be, they will never prevent 100% of malicious emails from reaching your users’ inboxes.
The only way forward, then, is to accept one simple truth – technology isn’t enough.
The End of “Awareness” Training
I’m going to hazard a guess and say that the last time you attended a security awareness training session, it was less than helpful.
Let’s be honest, the general standard of security awareness training across all industries is pretty poor.
But here’s the thing. The problem isn’t just with the standard of training, it’s with the whole concept. Improving security awareness among an organization’s users might seem like a sensible target, but it consistently fails to reduce real-world cyber risk.
Think about it like this.
We all know we should eat more vegetables and stop frequenting McDonald’s drive-throughs. But how often does that knowledge cause us to make the right dietary choices?
Judging by the obesity epidemic, not very often.
Now, if we want to see a marked reduction in cyber risk as a result of our security training, we’ll need to choose an entirely different focus: Not security awareness but security behaviors.
And since it turns out phishing is the single greatest threat facing organizations of the world, one security behavior, in particular stands out.
Changing Email Behaviors
In basic terms, phishing emails are designed to do one thing: trick unsuspecting users into taking an action that will in some way benefits the attacker.
To combat phishing, we’ll need to change the way users interact with their email inbox.
Now, you have to realize the average business user receives dozens of emails every day. As a result, most people aim to process their unread emails in the most efficient manner possible and naturally assume that any email finding its way into their inbox is legitimate. Each individual user will have their own set of unconscious processes for managing their email inbox, which over the course of tens of thousands of repetitions have become enshrined as unconscious habits.
Naturally, conditioning your users to change these habits is not going to be possible using the standard annual security awareness training format. Instead, you’ll need to incorporate your training into your users’ standard working day.
How, then, should you go about reconditioning your users’ email habits? Simple: Develop your own realistic phishing simulations, and send them to your users on a regular basis.
Yes, to be clear, I recommend phishing your own users.
Now before you start wantonly flooding your users’ inboxes with complex phishing lures, there are a few important considerations. For starters, this is not something you can rush into and expect to see results.
If you want to see genuine, long-term improvements in your users’ email security behaviors, you’re going to need to adhere to a few core principles.
1) Executive Sign-Off Isn’t A “Nice to Have”
Realizing dramatic improvements to employee security behaviors isn’t going to happen overnight. Quite the opposite, in fact, to be consistent and maintain your efforts over the long-term. Yes, of course, you can expect to see substantial improvements within the first few months, but they will quickly disappear if you fail to stay consistent.
And how do you stay consistent? You make sure you have support from above, specifically in the form of agreed long-term funding. To be sure of this, you’ll need to develop a strong business case, accurately track ROI of the program and routinely provide senior management with clear performance reports.
2) Success Must Be Easy
If you think the goal here is simply to persuade users to delete suspicious emails, you are seriously missing a trick. In reality what you really want is for your users to report suspicious emails whenever they arise, enabling you to identify and quarantine similar emails, tighten your technical security controls to catch similar phishing lures in the future nand build up a pool of real-world source material to aid in the production of future phishing simulations.
But here’s the thing. In order to achieve this, you’re going to need to make the reporting process as easy as it can possibly be. To that end, it would be wise to add a simple “report phishing email” button to your users’ email client.
3) Point-Of-Failure Training
When you initially launch your program, you’ll notice that your users improve very rapidly. At the same time, though, they’ll fail a lot in the beginning.
But failure isn’t a bad thing. All the time your users are correctly identifying phishing simulations, they aren’t really learning anything, they’re just showing you what they can do.
Each time one of your users fails a phishing simulation, they should immediately be sent to a relevant, multimedia training web page, which will educate them about the type of phishing email they have just been tricked by and help them to identify similar lures in future.
To really embed these lessons, you should also retest users within a week or so of their failed simulation. If certain users consistently fail both simulations, it may be worth following up with them personally.
Persistence: The Number One Factor in Success
As you have no doubt already surmised, the phishing awareness training program I just described is about as far from the standard annual security awareness training program that you can possibly get. Instead of pulling users into a stuffy classroom once per year, you’ll be providing a much higher standard of training, regular real-world testing, and an opportunity for users to take an active role in the security of your organization.
At the same time though, this process never really ends. If you suddenly decide to shelve the program, you’ll find that within a few months your users are back to their old wicked ways.
And here’s another thing to consider. No matter how good your users get at identifying phishing emails, mistakes will always happen. People are not machines, and while you can certainly expect to reach a 98 or 99% success rate, you can never assume that 100% of phishing emails will be correctly identified and reported.
Naturally, then, I would never dream of suggesting that the program like this could replace the need for high-quality technical security controls and a professional, well-trained incident response team.
No, this has never been a case of “either-or”. Quite the opposite, if you are genuinely committed to securing your organization against the threat of phishing, you will need to combine a well-trained workforce with a powerful, well-provisioned security resource.