Why Phishing Alone is Not Enough Awareness Training

Over the last several years, phishing simulations have become seen as the equivalent to security awareness training. The result is many organizations are only providing phishing simulation to their employees, and not security awareness training. This trend is a dangerous one, one that may actually lead to greater insecurity. 

Why? Organizations are now focusing on only the single threat vector of phishing, admittedly a very serious one, but still one of many.

Cyber-criminals aren’t oblivious to this trend either. They know that leaves the door open for many other types of attacks, or exploitation of vulnerabilities, such as posting of sensitive data to the cloud, mobile device loss or theft, vulnerabilities in IoT-connected devices, social networking over-sharing and over-trusting, and the list goes on and on.

I’ve even heard one security vendor say that you only should do phishing simulation and training on one or two other topics, because that is all employees will remember. That’s good news for cyber-criminals because it leaves other doors open to them.

Why Phishing Simulations aren’t enough
A phishing simulation sends simulated, safe phishing messages to employees, then tracks who falls victim to the simulation. The goal is to help employees learn to identify phishing attacks, and to avoid clicking on phishing links, opening attachments, or falling for other phishing attacks like picking up a “lost” Flash drive and inserting it into their computer.

If an employee falls for a simulation attack, a well-designed phishing simulation service will direct the employee to targeted training related to that attack. All worthy goals. Phishing, no doubt, is one of the big threats today, and phishing simulation can be a pillar in a strong security awareness program.

Phishing simulations pale in comparison to robust security awareness training: a phishing simulation is targeted training for a single type of threat and is limited in what it can do; it makes assumptions that if employees don’t fall for the attack, they understand the risks. For those that do fall for the attack, it counts on a simple training message being enough for them to learn.

Furthermore, many organizations also face their most serious threats in areas that phishing doesn’t even address. For example, a primary concern of healthcare entities is the exposure of Protected Health Information (PHI). However, many PHI data breaches are the result of lost mobile devices, data posted to the cloud, or improper access. None of those are a result of phishing. 

Training: A Negative or Positive Approach
Phishing simulations are often perceived by the targeted staff as a form of entrapment, with negative consequences if an employee falls for the trap. The tricked employee knows they failed the test and their failure will be reported to management. Adding insult to injury, the just-in-time training may feel more like a punishment, leading to resentment of training. Learning rarely accompanies resentment. Furthermore, once employees leave work and are no longer monitored, there is no incentive for behavior change. 

Effective security awareness training is the opposite. Employees are drawn in to learn, and training is presented in a structure that both ensures participation and real learning. Training is fun, relevant and useful for employees both at work and home.

The need for effective security awareness training greater than ever
Phishing simulations are not a remedy for all problems and will not fix employees’ risky behaviors alone. According to Gartner in their report Innovative Insight for Anti-Phishing Behavior Management: “Anti-phishing behavior management solutions are not a tool for initiating cultural change. Assess your organizational culture first, and deploy anti-phishing as part of a comprehensive program of security behavior management and education.”

Effective security awareness training trains employees on the breadth of the threats they face daily, as well as the choices they must make, and the risks of their own insecure behavior. The key word here is “effective”. Too many organizations have turned from security awareness training to the quick fix of phishing simulation because they feel training failed to achieve the promise of changing behavior. Most often the failure lies in the specific program.

To be truly effective and change behavior, security awareness training must be as much about eLearning as it is security. First, present security in a way people can learn. Make training brief and frequent. Long-training sessions overwhelm trainees, going in one ear and out the other.

Likewise, sessions presented infrequently fail to reinforce learning. Brief and frequent training is something that effective security awareness training and phishing simulation programs can share in common, but the similarities end there.

Effective security awareness training also captures the employees’ interest and is engaging. Based on eLearning principles, training is designed around how people learn. Interactive training and gamification go a long way towards meeting these objectives. The result is people want to learn.

The Ideal Solution
The need for effective security awareness training clearly is greater than ever due to the ever-increasing data breaches, security incidents, and constant introduction of new technologies and services. Phishing simulation can be a valuable tool in your security awareness platform, but it should always be seen as a supporting element.

Along with other supporting services like awareness materials and policy tracking. When implementing a phishing simulation service, you need to adopt as many eLearning principles as possible. Most importantly, make effective security awareness training the foundation of your security awareness program. This will truly drive behavior change and create a culture of security.

What’s Hot on Infosecurity Magazine?