When it comes to end-user phishing rates, are you “chasing zero”? If so, these efforts could be decidedly counterproductive — and here’s why.
Consider the ‘Why’ Behind Your Users’ Clicks
The average user generally falls for a phishing scam for one of three reasons (spoiler alert: “stupidity” isn’t one of them):
1. They lack awareness.
This, you may be thinking, is not possible. How can anyone not know what phishing is? It’s front-page news! There are studies and statistics! And I send lots of emails about this!
Not to burst your bubble…but most of your employees are far more interested in social media memes and Netflix than they are in cybersecurity news and reports. And it’s highly unlikely that they are thoroughly reading and understanding your emails (or at least not all of them).
Wombat Security’s 2017 User Risk Report is a great example of the reality of employee awareness levels. An independent survey of 1,000 U.S. and 1,000 UK working adults revealed that 30% of respondents could not identify what phishing is on basic terms. While you may take solace in the 70% who answered the question correctly, it’s important to realize that 600 people in 2,000 lacked fundamental awareness of the issue. And when you think about that in terms of a 2,000-person organization — and extrapolate the associated risks — it is sobering.
You cannot raise awareness by email alone. You must regularly communicate to your users in multiple ways and using language and materials that resonate with them. Otherwise, your warnings about phishing are likely to go in one ear and out the other.
2. They are aware but don’t know what to do about it.
Sure, it’s persnickety, but I favor the phrase “security awareness and training” over “security awareness training.” That preference is based on a simple reason: awareness and training are two separate things.
Alerting end users to the existence of a threat is not the same as teaching them how to recognize and react when they encounter that threat during their day-to-day business activities. You should absolutely fight the awareness battle and get your employees to recognize that phishing attacks are happening within your organization. But to win the war, you need to use anti-phishing testing and training tools to educate your employees to identify and avoid the different types of tactics attackers will use to lure them into clicking…and downloading…and submitting sensitive data.
Ideally, employees need to have a sense of how their actions can impact data and network security, both in their work lives and their personal lives. Because social engineering is a many-faceted thing, ongoing education is key. After all, one phishing example is just that — one phishing example. Regular, varied security awareness and training is a critical piece of end-user risk management because it gives you the ability to explain the different kinds of threats that end users might face, and it allows your employees to practice applying their knowledge. This interactivity is key to engagement and knowledge retention — and this approach makes a big difference in how their employees respond to training.
3. They’re human.
OK, I’m just going to say it: Making a 0% vulnerability rate your measure of success is unrealistic. That’s because you simply cannot eliminate the human factor. Humans are fallible. Humans make mistakes — all of us (including you). We know stoves are hot, but we occasionally still get burned. We are aware there can be risks associated with driving over the speed limit, and we know very well how to avoid those risks — but we regularly roll the dice, even though we know better.
This is not, however, a reason to throw up your hands and give up on the idea of security awareness and training. Before you turn your back on your users, consider this cybersecurity equation:
Educated Human > Aware Human > Unaware Human
Awareness gets your employees thinking about the way they act, and education gives them the knowledge they need to change the way they act. End users who are completely unaware are likely to click on anything and everything — and be none the wiser. Employees who are aware are a head above — but there is a ceiling to what awareness will do for true behavior change. In contrast, educated users make far better decisions, make far fewer mistakes, and are far more likely to alert you to questionable emails and potential attacks, allowing you and your infosec response team to become more proactive and less reactive.
Shift Your Focus to Risk Management, Not Risk Elimination
When you couple the inevitability of human error with the sheer volume of attacks and the single-minded focus of cybercriminals, it is clear that cybersecurity risk is not going anywhere. The Q4 2016 Phishing Activity Trends Report from the Anti-Phishing Working Group (APWG) indicated that there was more phishing activity in 2016 than in any other year since 2004, when the APWG began monitoring these types of threats. (In looking at the historical data, 2016 showed a 65% increase in phishing attacks over 2015, and Q4 2016 saw 5,753% increase compared to Q4 2004.)
But it’s not just about volume; actually, the bigger issue is the elevated quality of the phishing attacks organization are facing, and the impact they are having on individuals and businesses. Cybercrime has clearly proven its value to attackers. For the first time, the latest Crime Survey for England and Wales (CSEW) tracked statistics about cybercrime for the full year of its survey period. Out of the 11.8 million identified incidents of crime — which included those affecting both individuals and businesses — 5.6 million were attributed to fraud and computer misuse, which nearly matched all other incidents combined.
I challenge you to think about security awareness and training the way you think about other cybersecurity protection tools. You don’t expect perfection from your spam filter, your antivirus software, or various other technical safeguards. Isn’t it time you allowed for imperfection from your end users as well, if only because of the value they bring to your organization? They are your biggest asset, and they shouldn’t simply be written off as a liability.
If end-user risk management is not currently part of your cybersecurity plan…there is no time like the present. An effective, ongoing security awareness and training program can offer a cost-efficient, results-driven way to quickly impact end-user risk levels and generate improvements over time.
