Lured in by the title of this post? Don't worry; it's not a bait and switch. Because even though I fully appreciate the value of simulated phishing attacks, I also recognize that overreliance on these types of tools can sink a security awareness and training program.
How, you ask? Consider these points:
- Today's non-clicker can easily be tomorrow's patient zero.
- Simulated attacks are assessment tools, not education tools.
- Phishing-only programs are destined to plateau.
Let's dive below the surface, shall we?
Chance vs. Choice
When you send out a blind phishing assessment -- i.e., before you do any type of training -- it's dangerous to assume that non-clickers avoided engagement with the message by choice rather than by chance.
In truth, there could be any number of reasons why some employees evade a mock attack; in addition to recognizing the threat, users might not open an email because they are too busy to notice the message, they are out of the office, someone else tells them not to click, etc. As such, a message that missed the mark at first could be hit home at a later date.
In a similar vein, the subject matter of one phishing email might not resonate enough to prompt engagement from some recipients. Which means that a non-clicker on Monday could become a clicker on Tuesday if a more tempting message hits his inbox.
Phishing emails have many different kinds of lures and snares; social engineers are persistent, and they vary their messages in order to give themselves the best chance at mounting a successful attack. If users have not been educated about the variety of attack modes that could land in their inboxes, you can't reasonably assume that a non-click is a victory.
Assessments vs. Education
Mock phishing emails, in and of themselves, are assessment tools, not education tools. They give organizations the ability to establish a click/no click rate. It boils down to this: Did Employee X take the bait or not? This type of exercise gives a snapshot of vulnerability at that point in time and helps establish a baseline measurement of susceptibility. Valuable, yes. Educational, no.
But training is built in to my simulated attacks! you say. Anyone who clicks gets a video/presentation and a quiz!
If so, that's better than mock attacks alone. But it's not as effective as it could be. Here's why:
- The only people who receive training are those who click on the mock phish. Those who don't click remain blissfully unaware of the best practices you wish to communicate (which brings the chance/choice discussion back into play).
- Videos and presentations by their very nature are not interactive; watchers can easily tune out if they don't have to engage with the content.
- Training that launches immediately following an incident can be counter-productive because, in the wake of a mistake, an end user is likely to be flustered, embarrassed, and/or angry (i.e., not receptive to learning anything). Don't get me wrong: Teachable moments are terrific and they absolutely should be taken advantage of. But in that moment, the most effective approach is a "kinder, gentler" -- and relatively brief -- explanation of what happened and why, followed later by focused, interactive education about phishing threats.
Plateau vs. Progress
So, what happens to results when simulated attacks are the primary component of your security awareness and training program? You're likely to see gradual slowing -- and then halting -- of progress. As Mike Bailey of Wombat Security Technologies, explains:
When businesses take the phishing only approach or don't have effective training, they experience a phenomenon known as the "Phishing Plateau." During the course of their security awareness program, the decrease in open and click rates stops, and the program flatlines. We've seen this happen with our customers who are only using simulated phishing attacks.
In line with the aforementioned discussion about assessments vs. education, he goes on to say the following:
Why does [the plateau] happen? Because phishing end users is not the same as educating them. If you send an unsuspecting end user a phishing email, they click on it, and are redirected to a landing page or pop-up message, the usual reaction is embarrassment. They might be less likely to click on what they think is a phishing email in the future, but they still don't know and can't prove why a message is a phishing email.
Bailey suggests that the best option for breaking through the plateau is to incorporate interactive training that users can engage with as they have the bandwidth rather than at the time of failure. "Nobody likes to be interrupted in the middle of a big project or with a deadline looming," he notes. If you follow simulated attacks with immediate training, you run the danger of users tuning out.
"It's much easier to give users a designated window of time and reminder emails to complete training," Bailey says. "That way, they're ready and better prepared, making them more likely to learn and retain the information from the lesson."
The Bottom Line: Cast a Wider Net
If you want truly effective security and awareness training, toss aside the one-and-done approaches. No one tool will give you the best results, and no once-a-year presentation or video will spur year-round application of security best practices. Another point to consider? Phishing is just one of many threats lurking in the depths of cyber space. If that's your only focus, you're addressing only part of the problem.
As you consider your options for cyber security education, aim for continual progress and lasting behavior change. That will come from educated employees who actively participate in risk reduction rather than those who get by on guesswork and luck.