Cyber-security education, through the use of anti-phishing training programs, is vital in a world where humans remain the weakest link in the cyber-security chain.
Cyber-security is a term on every businessperson’s mind, as the legal, financial and reputational implications of a breach are massive. The challenge is that, while a company can implement the best cyber-security technologies, the biggest threat to a firm remains its people, who are susceptible to social engineering, phishing and many other cyber-threats. This means that the best approach to security lies in delivering relevant training that can turn your people into ‘human firewalls’.
According to David Shipley CEO of Beauceron Security, one of Digital Resilience’s key security partners, organisations should adopt a positive approach to cyber-security awareness and training, focusing on education and behavioural change, and ultimately empowering people to recognise risk and take action.
“We named our company Beauceron, after a type of sheepdog, and we feel it is appropriate, because our solutions help to turn employees from passive victims of cyber-crime into active defenders against it – or from sheep to sheepdogs, in other words,” he says.
“In our experience, cyber-security is more of a people, processes and culture issue than it is a technology one alone. This is why our aim is to create a culture of security within our clients’ businesses, and to proactively foster learning that empowers their people to do something about it.”
This, he adds, leads to the subject of anti-phishing programs and training, which are often implemented to reduce the instances of cyber-crime attempted against an organisation. However, there remain criticisms of these programs, including that they fail to reduce click rates to zero, that they can create negative emotional experiences for employees, and they can create a bias towards technology solutions, creating an expectation that they can solve everything.
“The reality is that a really good program, when sending out simulated phishing attacks, should get you to a click range of around 3-5%. If your click rate is zero, chances are the program doesn’t actually represent the real risks your employees are facing,” he explains.
Yaron Assabi, Founder of Digital Resilience says: “We thus recommend using an automated randomisation of phishing templates, which are sent out randomly to your users, and they should have various levels of difficulty. This will help replicate the nature of most phishing attacks, giving your people a chance to learn how to deal more effectively with threats.”
He also notes that certain types of phishing mails sent as part of such a program may create a negative emotional experience for users. For example, mails promising fake holiday bonuses, or those that focus on romance or sexuality can cause additional distress. Therefore, always ensure you use templates that are appropriate for your organisational context and threat environment.
“Remember, there are other, less distressing ways to educate people around such potential threats. You could provide these in a training module, or in a newsletter, or even a talk that is non-threatening, and does not single out individuals. You will still achieve the goal of educating that person, without the attendant distress.”
“Crucially, when using phishing as an educational tool, staff must never see it as an ‘us and them’ approach, where they feel IT is out to get them or to trick them. Always remember it is about teaching them, not about tricking people. So, my advice is to create a powerful mechanism for recognising and rewarding users for properly reporting phishing simulations, as well as rewarding reporting of real phishing mail,” continues Shipley.
Shipley adds that, looking beyond simple click rate, organisations should also consider the report rate – that is, the number of employees who regularly report all phishing attempts, both simulated and real. This rate demonstrates how many of your people know what a phishing mail actually looks like, as well as that they care enough to inform you about it. It is, of course, important to celebrate employees like this, that do the right thing.
“Lastly, staff need to understand that while technology can help defeat cyber-attacks, the fact is that all secure gateways have a failure rate against sophisticated phishing attacks, so while it helps, it is certainly not a silver bullet,” says Assabi.
“In fact, it is best explained using a car analogy: if your employee is the driver and cyber-security is the act of driving, they would need to be well educated and knowledgeable about the dangers of driving, so they are unlikely to have an accident. The various cyber-security technologies are the equivalent of an airbag in the car, in that they help to protect even careful drivers when something bad does happens. However, the reality of safe driving is that avoiding the majority of accidents comes down to how well-trained the driver is. Very much the same could be said about cyber-security,” he concludes.