The holy grail of information security behavior change is upon us. Or so “they” would have you believe. “They” are phishing simulation vendors, who claim that by running frequent phishing simulation tests, within a year, the percentage of employees who are tricked by a phish falls by a factor of six.
That sounds impressive until you realize these are the same vendors that also profit from you running frequent tests. So, what’s the reality? Is phishing simulation the holy grail in security awareness for which we’ve searched for decades? Or is it just another hyped technology that is having its 15 minutes in the spotlight?
Before we answer that question, let’s explore why today’s security awareness programs themselves are often doomed to failure:
- Purely awareness based: These well-meaning organizations say “If you provide security awareness training, people will read, understand, and apply it in practice.” The problem is that when awareness training is non-mandatory, people tend not to do it. If you send a blast email to your entire organization, the chances are that 10% will actually read it, and even fewer will take concrete actions based on the email.
- Purely compliance based: These organizations (in regulated industries in particular) shove employees through training that is heavy on compliance and policy, mandate testing to gauge understanding, and ensure 100% attendance. Alas, the problem here is that employees forced to do things will find the easiest way to complete it, without trying to understand the material.
Clearly, no organization is ever going to get to a point where none of their employees are susceptible to phishing, but clearly, there are ways to increase your odds of preventing, detecting and mitigating this risk. If you’re trying to get to that point, what should you be thinking of?
Firstly there is awareness training: You need to constantly reinforce the requirement for secure behavior, using multiple media and training frequency. For instance:
- You could issue newsletters every quarter.
- You could make awareness videos, such as Restricted Intelligence (which I personally love) available to users.
- You could have periodic direct email sent by line managers to users.
- You could have poster campaigns periodically, with posters in high visibility areas such as cafeterias, elevators and entrances.
- You could run privacy and security challenges that encourage users to get involved and be part of the solution, not part of the problem.
See the insight? Mixed-media, variety, interactivity and constant reinforcement are key. Secondly, compliance training has its place. It can and should be used to emphasize certain legal requirements. You can even use some of the awareness training above to make compliance training less tedious. but do compliance training for compliance, and security training for security.
Thirdly there are technical solutions. Remember the early days of anti-virus software? We told users not to click on unknown attachments; then we gave them training on how to update anti-virus software; then we developed auto-updating anti-virus software; then we blocked executable files from coming in over email; then we developed heuristics to detect even sneakier attacks; and we continue the battle against the bad guys.
Protecting users from phishing is similar – wherever possible, you should automate the protection against phishers, for instance by:
- Implementing anti-spam and anti-phish protection in your mail gateways (most major mail providers such as Office 365 and Google Mail provide this automatically).
- Implementing technologies such as DKIM and SPF to detect and block spoofed emails.
- Implementing tools to help users report suspicious emails to security, along with workflows to analyze, respond to, and defend against true threats.
Finally there are phishing simulations, and I do recommend you use phishing simulations. Using simple scenarios at first, you can test whether the awareness material you have provided to your users is actually making an impact in their behavior. By using gentle reinforcement on initial failures, you provide a non-threatening learning environment. By telling users you are going to test them, you create a decent (but not debilitating) level of paranoia, which is exactly what you want.
You WANT users to be paranoid when they get emails that seem too good to be true. Don’t worry about the actual percentage of users who are tricked on each test – look for the overall trend over many months of testing. You should fully expect some users to say “How dare you test me – that was deceitful” (usually, it’s the ones who are tricked that lash out in embarrassment). Also, don’t spare the executives from the testing; they’re just as human as everyone else.
This was a long and winding road to the conclusion: I believe phishing simulations can help improve awareness and, more importantly, behavior, but you absolutely must use them in conjunction with training, technology, and reporting processes designed to prevent, detect, and mitigate the impact of a phishing attack. You wouldn’t buy a car without tires, so why would you do testing without the foundational elements I mention above?