For as long as the field has been in existence, cybersecurity pros have looked for ways to remove the human element from the security equation — to create a tool, architecture, or solution capable of warding off any and every phishing email before it ever reaches the end-user’s inbox.
And while we’ve most definitely made major strides towards that goal, no email security product can claim a 100% success rate. Even the most advanced, AI-driven enterprise email security products can only boast a 99.998% success rate in preventing phishing emails from reaching inboxes.
While that’s obviously a phenomenal track record, it’s important to keep two points in mind: phishing is a numbers game; and it takes only one successful attack to cause serious damage to an organization.
The average enterprise today gets targeted by hundreds of phishing emails per day, averaging hundreds of thousands of attempts per year. So, even at a high success rate an organization at the low end of the spectrum will see more than 200 phishing emails make it through their defenses. That’s 200 instances a year in which the only thing standing between the organization and a potentially devastating security breach is a single employee and his or her ability to identify a malicious email. And with the rise of generative AI, phishing attacks are quickly becoming both more sophisticated and more numerous.
With all this in mind, it’s hard to question the utility of security awareness training. It’s not merely useful, it’s absolutely essential. Phishing training for employees has become instrumental in creating a security-conscious workforce, reducing the risk of successful phishing attacks, and fostering a resilient organizational culture that can effectively respond to evolving cybersecurity threats.
Pros and cons of phishing simulation programs
While there are certainly some cons worth noting, it’s important to remember that they are far outweighed by the benefits the programs offer. What’s more, we can overcome many of these cons through policy changes and programs designed with them in mind. Nevertheless, let’s start with the potential drawbacks:
Cons:
Pros:
The proper cadence
There’s no magic number to this algorithm, but the more phishing tests run, the more employees can recognize the signs and patterns to look out for on these attacks. Companies should conduct phishing tests every other week or once a month to give accurate training and for businesses to receive accurate data on who is more susceptible to these attacks.
For the best efficacy, we recommend a combined security awareness training approach coupled with phishing simulation testing. For example, once someone fails a Phishing Simulation Training (PST) the company can send them an additional video that offers more training on how to spot these attacks. PST can help train employees on the latest attacks, and they will learn how to effectively spot and report phishing. So, while training videos might help as supplemental tools for training, never treat them as a replacement for hands-on phishing simulations.
Set measurable KPIs and live by them
When it comes to assessing the effectiveness of any security training and testing program, it’s important to identify the most important key performance indicators (KPIs). Without them, it’s impossible to gauge how well the team performs, nor can the company gauge the effectiveness of the training program.
Most people think they need to get the team’s click rate as close to zero as possible. At first blush, this makes sense — after all, the fewer people who click, the fewer have fallen for the simulation. However, we feel the goal should not be to only minimize click rates, but also to maximize reporting rates. Why? Because it’s through reporting that we can help our systems perform better and help increase the awareness level of our employees.
Also, for those organizations looking to make their training more enjoyable for their workers, there are many easy ways to introduce gamification to a phishing training program. For example, establish leaderboards (by individual employees and/or by teams) and offer prizes for the highest performers each quarter.
Security awareness training does work: it elevates an organization’s security posture, strengthens defenses, and lets them stay one step ahead. However, like any other companywide initiative, organizations have to approach them strategically, in a well-thought-out, and measurable way.
Eyal Benishti, chief executive officer, IRONSCALES