One of the biggest fears for CISOs in the remote age is employees letting their guard down and clicking on something they shouldn’t from an unknown source. Over the past year, 76% of IT security leaders say their organization has experienced a data breach, resulting in the loss of sensitive information, and 38% of the time, these breaches were due to inadvertent employee carelessness.
Security awareness training (SAT) on email security and spotting phishing attempts have been adopted by thousands of businesses to help reduce the risk of breaches caused by naïve employees. Yet, phishing attacks remain the most common threat vector, with 83% of businesses experiencing an attempt in the past year. So, the question is, how can businesses make employees more prepared for when a potential phishing email arrives in their inbox?
Compliance vs. Practicality
One of the primary issues with SAT is that it’s designed around the business objective of meeting compliance mandates and regulations. If each organization is driven by compliance, the training will not necessarily address the biggest issues in the company.
For it to be effective, training needs to be an ongoing commitment due to the fast-paced nature of cybersecurity. Staff turnover is also a factor to consider, as businesses will need to keep on top of training new employees. In some instances, SAT becomes part of the onboarding process. However, new employees are usually incredibly overwhelmed upon starting a new job, so the training is likely to go straight over their heads. And phishing emails, despite filtering and ongoing training, still exist within inboxes, so what’s the next step?
Labeled as the Problem
The traditional form of SAT positions employees as the weakest link. Going into training, if individuals are made to feel like the problem, they’ll no longer be focused on the importance of security but rather on impressing their employer. Following training, employees often report more suspicious emails, but many of these reports may be false positives. IT and security teams are busy managing the entire company’s security, so additional queries coming through from employees takes time away from their primary duties.
"Businesses need to think about how they can alter their approach to security training, so it isn't just a point-in-time, tick-box activity..."
Businesses need to think about how they can alter their approach to security training, so it isn’t just a point-in-time, tick-box activity, but something more meaningful that delivers results without placing an unnecessary burden on workers.
Combining Inbox Security with Crowdsourced SAT
In isolation, SAT programs are not an effective form of email protection. However, if businesses choose to implement training on top of email security solutions that use a crowdsourced approach to harness the collective intelligence of everyone in the organization, the combination will prove much more effective. Giving employees detailed, guided information on suspicious emails and the ability to scan an email that has come into their inbox at the push of a button themselves forces them to think and not waste time waiting for the security team to give them a yay or nay as to whether they can proceed with an email.
If the email is found to be malicious, the employee gets the kudos, the SOC team’s time is freed up, and the offending email is removed. But the threat isn’t just neutralized in the mailbox of the user that identified it. Instead, this intelligence gets pushed through to the mailboxes of every employee where, if the same threat is found, it is automatically remediated. This strategy revolves around the concept that employees are gaining information and visibility into suspicious emails and being given the power to get live consultation at the push of a button. This will leave them feeling supported over time, without the stress of a spot test that only uses artificial emails. With the retrieved data, teams can then create a framework that leverages the collective wisdom of users. So, in addition to increasing general awareness, security teams can use employee feedback to shape the overarching security strategy.
Moving Forwards
Employee training is necessary, but it’s not sufficient as a standalone practice. Organizations should be looking to build the activity within the overall security solutions to contribute to the business-wide strategy. For example, phishing no longer solely exists in the email space. Other forms of communication — such as WhatsApp and SMS — are being targeted by criminals. Therefore, businesses should consider automated security to detect and remediate phishing, BEC and malware threats that have penetrated existing defenses. These defenses should revolve around continuous monitoring and detection, where crowdsourced user detection can assist, and automated response and remediation. If we want to combat the threats facing us now and in the future, security strategies need to become more agile so that businesses can adapt their approach depending on the paths taken by threat actors.