Filtering and time-of-click protection can produce results where training fails.
First, the facts: Employees who are unaware of the dangers of phishing are far more likely to become victims of phishing attempts than those who understand the process.
The FBI estimates that organizations across the United States lose $1.2 billion every year due to email scams. Since phishing is by far the most popular way to get malicious code into an organization’s network, it follows that training employees to recognize phishing attempts is an effective strategy to prevent phishing attacks.
But how good of a strategy is it really?
Formal studies on the subject can be misleading. There are university-based studies that show promising results from sending mock-phishing emails to students and faculty, but it’s unclear how well these results translate to the world of business.
It’s also unclear how phishing training can eliminate the threat of cyberattack on its own. It’s unreasonable to expect a 0% chance of falling victim to cyberattack solely through employee vigilance and training. Only a systematic, infrastructural approach can produce results of this caliber.
What’s wrong with phishing with your own employees
Phishing awareness training usually centers around creating mock phishing drills that target your own employees. These can be very successful at creating awareness of phishing tactics and teaching employees what you mean when you talk about “suspicious email attachments”.
These drills take on a common form in most situations. Generally, the IT staff will create suspicious-looking emails and target certain employees with them. The links in the emails don’t download malware onto the victim computer, but they do lead to an internal webpage that says something along the lines of:
Caught you! Next time please be more careful.
Studies have shown that after these initial trials, employees tend to open follow-up mock-phishing emails far less often. However, there is evidence that points towards diminishing returns (and possibly even damage) when extending the mock-phishing drill beyond its initial stage of usefulness.
Some cybersecurity professionals believe that by staging mock phishing drills on a constant basis, companies can maintain a high degree of discipline among their team members and prevent phishing attacks.
Royal Society member Steven J. Murdoch and human-centered security expert M. Angela Sasse of the University College of London disagree. These two security experts underline some important yet underappreciated risks of phishing your own employees:
- Reduced productivity. Some employees have to open emails and attachments from strangers as part of the job. Anything that slows down the process affects productivity. Furthermore, employers still pay for all the time employees spend deciding whether to open a specific email or not.
- Employee alienation. Hopefully, you never chastise, reprimand, or otherwise publicly name employees who fail the mock-phishing test. While this might seem like a good idea from a disciplinary point of view, it will only incentivize employees to avoid reporting real phishing emails.
- Undermining trust. Mock-phishing undermines the foundation of trust that your company and its employees share with one another. Constantly probing for employee weaknesses and impersonating fellow employees to do so can be categorized as profoundly destructive and paranoid behavior. This is literally the kind of thing that happened in Stalinist Russia.
- Increased insider attack risk. Speaking of undermining trust, disgruntled employees make up a considerable number of corporate data breach cases. If you give employees r a reason to mistrust your company and point out the weakest links on the chain are, you’re practically setting yourself up for disaster.
- Damaged responsiveness. Consider this: what if security training has gone too far, and employees are now beginning to delete legitimate emails without opening them? Most mock phishing drills have no way of addressing this issue, which can lead to communication blackouts and lasting damage to corporate goals and objectives.
The right way to handle phishing awareness training Training
If there are benefits to be gained through mock-phishing drills, they are exclusively of the awareness nature. You can’t expect your employees to be so perfectly disciplined that they, through the power of training alone, will be able to successfully identify every single phishing email that comes along.
Instead, phishing training needs to coincide with the implementation of a robust framework for security that includes effective filtering and time-of-click protection.
- Sophisticated email filters can find and safely dispose off the vast majority of phishing emails. These filters can eliminate employee guesswork for the most common known threats and assist with the detection and quarantine of new vulnerabilities. The less malicious emails end up in your employees’ inboxes, the better.
- Time-of-click protection. Time-of-click protection ensures that the few malicious emails that are bound to get through still enjoy a significant line of defense. Time-of-click protection engages whenever an employee actually clicks on an embedded link in an email. It verifies the domain in question and checks against potential threats before loading the web page.
When you have methods in place for qualifying and verifying incoming emails, you can afford to be more forgiving with the phishing awareness training.
One of the best ways to approach phishing awareness training is by using real phishing emails as examples. These are easy to find and almost everyone with an email address receives them anyways.
All your IT team needs to do is to give employees a special shared inbox for security verification. By empowering employees to say, “I’m not sure”, you can vastly increase the overall likelihood of the reporting of malicious emails, while also allowing trained security professionals to verify questionable content instead of relying on employees to do the job.
Security is a complex field that relies on many factors to generate results. In most cases, these results go unnoticed by the vast majority of people who benefit from them, since you are essentially investing time, money, and resources into making sure security incidents don’t happen.
Mock phishing can increase awareness of phishing attack strategies, but it cannot be relied on as an end-all-be-all approach for keeping corporations safe. Beyond the spurious effectiveness that mock-phishing drills have in the long run, the cost of your employees’ good faith in your security system can have long-standing repercussions.