Raising Awareness

With new studies emerging on what seems to be a weekly basis discussing the pervasiveness and growing effectiveness of new phishing campaigns, it is beginning to feel like an uphill battle that cannot be won. Looking out on the security landscape, we see many awareness tools that can help to drive users to better understand the anatomy of a phish. We also see any number of tools designed to solve the problem, so your users do not have to think about it themselves.

In one recent study from Proofpoint, it was shown that nearly 66% of users now understand the basics of phishing and how these attacks can impact them personally as well as their businesses. Yet, phishing still ranks as the number one vector of attack for credential theft, and makes up nearly half of the root cause of malware and ransomware infections. How is it possible, if we have tools to educate and tools to prevent, we still haven’t been able to stop the dangers that phishing presents every day?

To me the answer is simple: we’re not using either of these tools properly. If it is true that users are educated but still falling victim to these attacks, and that tools to protect against these attacks are not always providing adequate protection, I believe that these tools need to be implemented in a more holistic way. We often discuss things that aren’t working as ‘the right hand not knowing what the left hand is doing,’ and we have such an example here.

Using a security awareness program to ensure that your users can recognize a phishing attack and are up-to-date on the latest attack vectors is essential to protecting data. Users are the single most important piece of a cybersecurity posture and must be educated. It may feel pejorative, but the example of yelling at the dog who ate your shoes when they didn’t have any toys and didn’t know the difference is a fitting one. Training, just like with a misbehaving pet, must start early and continue throughout their lifetime, or in our case, tenure. We are no different as people. Awareness of phishing has increased, but the knowledge level of changing threats must continue to evolve and that requires ongoing training.

Further to that, a true security awareness program is not going to be retained the way we want it to until we provide teachable moments. If you think of these not as an educational program, but as a learning opportunity based on an experience or attack that just occurred, we can provide a way to learn at a deeper level. Just like the analogy of the dog, when they pick up the slipper, say no and provide them with an alternative. We must provide these same experiences to our end users, and that’s where staff phishing testing can come into play. Combining an awareness program with a security tool that can do both is a powerful and, more importantly, empowering thing to our users and to us as infosec professionals. Don’t pretend you have never clicked on something you shouldn’t have!

So, how do we create these teachable moments? How do we stack the absolute necessity of education, with the equally important component of protection? In my opinion, the answer is that you stack the tools. When there is a detection of a phish or malicious attempt, layer in your awareness training. Show your users the toy. There is a lot of power in the ability to catch a mistake in motion and evidence that shows that when this education is provided in real time, the learning sticks in a more powerful way than when you teach the same content out of context. Take the opportunity of clicking on a phishing link to help that user learn from the experience without compromising your systems or having the user quickly and embarrassingly close the window without learning anything.

Making your phishing awareness program context-aware is paramount to the ultimate success and empowerment of our users. These are the people that come to work every day trying to make your business succeed. These are the people who are invested in that success. If we can give them even more power to protect the things that they are trying to build, they are more likely to learn from an experience and become a champion for the security of the business. Security awareness is critical to these people and these people are critical to you. Help them learn the best way they can, and they will help your business grow safely.