When it comes to anti-phishing security awareness training, there are those out there who relish the idea of a frightened end user. On the surface, it’s hard to argue against that mindset. Data breaches, IP loss, and ransomware attacks are just a few of the Boogeymen that keep IT professionals up at night, and it’s tempting to channel that anxiety into a security awareness training program designed to scare employees straight.
Here’s the problem: Frightened users are bad for business.
It can be difficult for some IT staff members to clearly understand this point—as is reflected in some of the posts that float around popular InfoSec forums. I regularly see commenters happily noting that their organization’s program has “petrified” its end users, making employees afraid to interact with any emails they receive. All of these folks think this is a mark of program success. But I respectfully disagree.
Let’s be clear: a healthy sense of paranoia is absolutely a benefit when it comes to cybersecurity. But a program that creates a pervasive anxiety about email and other business-critical tools only serves to paralyze users—a negative impact that is felt within multiple organizational areas:
1. Internal and external communications
If your employees operate under the assumption that every message is a phishing email that is too dangerous to deal with, your anti-phishing training is not only failing them, it’s failing your business. Email is a crucial component of communications with coworkers and customers alike; petrified users disrupt the flow of activity, and that is not a win on any level. The key is to teach users to handle messages appropriately.
2. IT response teams
It’s critical that users be encouraged to report suspicious messages and reach out to your IT helpdesk or other technical personnel with questions and concerns. But not every time they receive a message. When users are conditioned to avoid any email that contains a link, attachment, or request for information, IT response teams become inundated—and responses to business-critical requests are needlessly delayed (see point 1).
3. Employee confidence
Is your message to users that they are “problem children”? That they are incapable of making good security decisions? Here’s the thing: If you believe your users cannot learn—and you make them feel they cannot learn—you put a limit on the success of your cybersecurity initiatives. An “IT vs. end users” mindset is counterproductive. Instead, try to put yourself in your users’ shoes and embrace the opportunity to change behavior and reduce risk. Employees in all roles, at all levels, in all industries frequently develop new skills and effectively apply them on a daily basis. The same is possible for cybersecurity best practices.
If you’ve been relying on scare tactics, it’s time to raise the expectations you have for security awareness training—and the capacity and capabilities of your end users. Help your employees gain the knowledge they need to make informed decisions. Like it or not, they are a huge factor in your organization’s overall cybersecurity posture. It’s to your benefit to empower and engage them rather than leave them cowering at their keyboards.
Looking for more about anti-phishing training? Register now for the January 31st SecureWorld webinar, “State of the Phish Report 2018: What Your Peers Are Doing to Reduce Successful Phishing Attacks.”
