Anti-Phishing Training: Why ‘Set It and Forget It’ Is a Mistake
Even though cybersecurity budgets are healthier now than they have been in past years, security talent is in short supply, which means infosec training teams are still facing the crunch of doing more with less. As such, the lure of automation is strong. If you find yourself tempted by the idea of a “set it and forget it” security awareness training program, we caution you to consider the negative side effects of a hands-off approach.
The Most Effective Programs Are Agile and Responsive
We’ve worked closely with our customers and Managed Services team to develop a recommended set of best practices for security awareness training, and the tips we provide are based on field-proven methods. The bottom line: Programs that are actively measured and managed, with activities strategically tailored based on the results of assessments and cybersecurity education, deliver the best results.
A great example of this can be seen with simulated phishing attacks. Some anti-phishing training vendors tout the time management perks associated with a program that is set up to run automatically for a year. While we recommend sending monthly phishing tests (using our ThreatSim® tool), we do not recommend taking agility out of the mix. Your program should be monitored, and metrics should be analyzed regularly; the results of your assessments will show you where vulnerabilities lie, and you should be able to be responsive. These are the types of capabilities you miss out on with auto-run assessments that are planned too far in advance:
- The opportunity to deliver “current events” simulated phishing campaigns that will keep your end users alert to these types of threats.
- The flexibility to plan your cybersecurity assessments based on prior results; for example, doing extra evaluations of attachment-based campaigns if you see a large number of clicks with this type of attack (whether during phishing tests or from the wild).
- The ability to strategically tailor your cybersecurity training topics and schedule based on the areas of weakness that are identified in your assessments.
- The opportunity to incorporate assessments and training in response to emerging threats. (Ransomware is a great example of this, as it went from “nuisance” to elevated threat in relatively short order.)
Searching for an easy way to amp up your end users' knowledge of cybersecurity best practices? Our Managed Services team can plan and execute a program to your specifications.
Certainly, a “set it and forget it” approach can seem great on the surface — but it’s not likely to generate the best results. If you lay out a phishing training schedule a year in advance, you limit your ability to be responsive and make changes as needed. A one-size fits all approach is akin to a minimal-effort “check the box” approach — and, frankly, poor effort is almost always linked to poor performance.
We are certainly advocates for planning ahead — don’t mistake that. We just don’t feel it’s in an organization’s (or a program administrator’s) best interest to commit to (and build) the content and themes of a year’s worth of assessments at once. In addition to the lack of flexibility, it could amount to wasted work, as you are likely to want to adjust based on end-user behaviors and industry threat trends that emerge during your security awareness and training program. Knowing what you’d like to do is always helpful, but you should always have the agility to do what you need to do to drive results.