Most security breaches start with a phishing attack. Over the past decade, attackers have changed their focus from the consumer market, and they have begun to target businesses successfully. Their tactics are incredibly sophisticated. The phishing emails are extremely realistic; they impersonate well-known brands or coworkers, email addresses are spoofed, the messages are hyper-personalized, and the emails use psychology (fear, curiosity, greed, etc.) to make people fall for them.
Advanced technical controls, such as Integrated Email Security Solutions (IESS), are necessary to block phishing emails and keep your organization safe from a possible breach, but security awareness training is complimentary. To maximize organizational resilience, security teams have started to adopt the idea of building a human firewall. Phishing training is one of the core ingredients for this to succeed.
An introduction to phishing training
As phishing has become incredibly sophisticated, one of the easiest ways to penetrate a company’s defenses is through the people. The human risk has risen to an immense level during the past years. A single click on the wrong link or attachment could result in severe consequences. As social engineer techniques are really good, people should know what to watch out for.
A phishing email is a bit like a trojan horse. The message may look innocent and realistic. It could promise a gift card (playing on people’s greed), but in the end, all you get is months and months of incident response to clean up the mess.
Most organizations are required to deploy security awareness training for compliance purposes. However, companies have started to realize that to mitigate email-based threats, they need phishing training that teaches people to identify possible phishing attacks.
Nevertheless, phishing training can be conducted in many different ways. That’s why there are discussions around the effectiveness, retention, and benefits of this training. We will explain the types of phishing training, who needs it, its effectiveness, and how to succeed with employee phishing awareness training.
Types of phishing in training
It’s still typical that phishing is handled as part of security awareness training. People hear about phishing in the training materials, but they are not trained through practical exercises. Those that want to train their workforces with a practical approach rely on phishing tests, manual in-house phishing training, and managed phishing training services.
One-off phishing tests are still prevalent. Typically, the tests are infrequent, exercised a few times a year, and all stakeholders receive the same phishing test email. The process is often confusing for the users as communication is not clear enough regarding what people are supposed to do when they spot the test. The lack of processes can have a negative effect on the metrics.
Manual in-house phishing training
For manual in-house phishing training, security teams often purchase popular phishing simulation services. With these tools, the team can use templates to develop phishing tests. This way, it’s easier to create a variety of content and send tests to a larger population, even breaking down the training into different user groups.
Nevertheless, if the organization wants to follow the latest social engineering trends and send relevant and personalized content frequently, this may not be the best option. Manually developing the simulations is also time-consuming.
Managed phishing training
Managed phishing training is especially suitable for an enterprise that wants to train thousands of users worldwide. The whole process is typically automated, and the security team does not need to take ownership over the training. The vendor creates the content and follows the latest attack trends to quickly react on actual topics; they adjust the training for the user groups and provide the frequency that’s needed to see tangible results.
Who needs phishing training? Which user groups should you train?
Attackers can target anyone from your organization. Broad-stroked phishing attacks are aimed at all employees, and highly targeted spear-phishing attacks reach specific individuals, such as C-level executives or people in the finance department.
Is phishing training really effective? Will it work for me?
That depends on how it’s done. In our experience, one-size-fits-all phishing tests or theoretical education won’t work.
When is phishing training ineffective?
– It’s theoretical and a small part of the compliance training.
– A one-off test won’t be effective. These are good for benchmarking where you stand in the beginning, but otherwise, they won’t educate your users.
– Quarterly training doesn’t work. The frequency is not enough to keep people on their toes.
– It’s the same content for all; it may start frustrating people. For some, the simulation may be too simple, while others may find it too challenging.
How can phishing training be effective?
– The training is practical. Ensure that the emails are realistic so that people get used to seeing attack simulations that could even be mixed with real attacks.
– The training is frequent so it leaves an impact.
– The training provides a variety of topics and techniques.
– The content matches the skills and knowledge of the individuals.
– The training focuses on teaching people to identify and report email threats.
Without training that focuses on behavior change, it’s challenging to get employees on board and increase their resilience. To achieve that, psychology is critical. Training needs to be engaging so that they participate, learn, and understand why it’s essential to stay alert.
If you are worried about the retention of phishing training, frequent, bite-sized simulations could work for you. When you exercise phishing training regularly, it will start building a habit.
How frequently should you train employees?
At Hoxhunt, we suggest 36–48 simulations a year per employee. While that may sound a lot, here is why we do that:
– Frequent training helps not only with recognizing real phishing emails but creating the habit of reporting them.
– People will get familiar with a variety of social engineering techniques and phishing email types.
– People will get simulations that follow the latest trends.
– When each simulation comes with microtraining, they can learn new tips on how to spot an attack.
How to succeed with phishing training?
For effectiveness and employee training retention, excellent communication is essential. Get help from your communication team on planning how to communicate about phishing training to your employees.
People need to understand the value and the process clearly so that they can commit.
Define your KPIs and measure success
Phishing training must be measurable. You need to set key performance indicators (KPIs) and closely follow your metrics to identify whether you’ve been succeeding.
Focus on behavior change instead of awareness
Don’t focus on awareness. Create a habit, and that will eventually result in awareness. People will care more about organizational security but also their personal security.
Make sure training is engaging
Training must be relevant and engaging for people. To succeed, you need people to commit and frequently participate in awareness training.
Make use of employee reported threats
When people learn to spot and report real threats, you will have a tremendous amount of data to use. This will also help you to kill attacks early in the kill chain.
Behavior-changing phishing training for building a human firewall
The necessity of phishing training may divide security professionals into two groups: the skeptics and those who understand the value of behavior-changing training.
Phishing training can be effective in reducing the risk related to people. With good training, you can build a robust human firewall that can support your organization’s resilience.