Security Officers and Users Find Common Ground Through Simulated Phishing Attacks

Once again there has been much heated debate recently around the effectiveness of security awareness training and its measurable benefits to an organization. I recently had the privilege of discussing with top Chief Security Officers (CSOs) and security leaders how security awareness training and the use of simulated phishing attacks can help companies educate employees how to avoid growing cyber security threats.

Phishing, and the more targeted and sophisticated spear-phishing, is the weapon of choice for the modern cyber-criminal. It is used by the common criminal for identity theft, and the more organized hacker for data and intellectual property theft. There is no foolproof technological defense; and contemporary thought focuses now on training the user to recognize and resist targeted social engineering.

A recent Naked Security Survey shows that 85% of the information security people surveyed support the use of simulated phishing attacks for training employees. The report notes that the key is being in the moment. Being in the moment makes learning very timely and it makes it more relevant. As we all know acknowledging a mistake is a powerful motivator for action.

If done carefully, simulated attacks have two major benefits. First, it can shock complacent staff into realizing how vulnerable to social engineering they really are, and through that keep them on their toes and improve overall security; and second, it opens a valuable communications channel between users and security staff. As one senior security director from a major entertainment company said “it helps people understand that they can report phishing and other malicious attacks to their IT department.” He added “A side benefit is that it creates a conversation between IT security folks and employees – common ground.”

The biggest concern these security leaders brought up about simulated attacks were concerns around the ethics of tricking users for the purposes of training. This debate was addressed in many ways by these esteemed security leaders.

The group pointed out that it doesn’t mean the Security department should just start attacking the company staff to see how vulnerable they are. It needs to be framed correctly.

This highlights the biggest difficulty in formulating a simulated attack training strategy. The general feeling is that you cannot forewarn staff of a simulation since that would defeat the purpose; but at the same time it should not be done in a vacuum.

There are two potential problems. First, as noted by a security manager from a leading electronics manufacturer, staff can “tend to think they are being spied on or not trusted.” This could lead to an unhappy workforce; and an unhappy workforce is not a productive workforce.

Second, said another CSO, “it’s possible that an individual might feel singled out for the wrong reasons.” This can backfire on the company if that person subsequently uses the issue as an ‘example’ of victimization by the company. “But this is where communication can help resolve those issues.”

Here’s where an important point must be raised which was agreed upon by all the security leaders I talked with. When an individual is first employed, he or she will need to be educated on how phishing will be used during their employment. Employees will thus know that they will be ‘phished’, but they won’t know when – and that in itself will keep staff on their toes.

That’s prior warning; but post-event explanation is also important. “Employees need to understand that the purpose of the training is to strengthen the company’s security posture,” said one security evangelist. “A landing page with further explanation may be one way of doing that.”

The bottom line is security professionals must communicate with staff that this is a joint effort between the employee and security department. You need to set the right expectation that you are trying to help the company, not frame individuals. The smarter everyone is the more secure the company will be. And the more secure the company, the more secure the job.

While using simulated attacks as part of user awareness training is a relatively new approach and slightly contentious, it’s proving to be very effective. And results are showing this. As an example, almost 35% of employees at a Fortune 50 company fell for the first simulated phishing attack but after completing anti-phishing focused interactive training modules, less than 6% fell for the second attack – which demonstrates an 84% decrease in susceptibility.

Let’s be realistic. Cyber criminals are not slowing down and they won’t quit phishing employees, it’s proven to be a highly effective tactic.

If simulated attacks are done openly and for the benefit of the company rather than the detriment of the staff, it can be a very engaging process rather than something to be feared. The overall benefits of higher awareness and improved retention by staff together with the introduction of meaningful metrics into training makes simulated attacks one of the most cost-effective forms of awareness training available.

It’s time to make a cyber criminal’s job a little harder with users as defenders against attack.

For the complete results of this discussion, you can download the report: A Security Officer Debate: Are simulated phishing attacks an effective approach to security awareness and training?

Wombat Security Technologies helps companies combat cyber security threats with uniquely effective and engaging software-based training solutions that train employees to identify and avoid cyber-attack.