Why Security Awareness Does Not Work and What to Do Instead 

It is no secret that phishing has become a huge problem. The current Phishing and Email Fraud Statistics 2019 are:

  • The average financial cost of a data breach is $3.86m (IBM)
  • Phishing accounts for 90% of data breaches
  • 15% of people successfully phished will be targeted at least one more time within the year
  • BEC scams accounted for over $12 billion in losses
  • Phishing attempts have grown 65% in the last year
  • Around 1.5m new phishing sites are created each month (Webroot)
  • 76% of businesses reported being a victim of a phishing attack in the last year
  • 30% of phishing messages get opened by targeted users (Verizon)

It is not difficult to understand why phishing has become the favourite attack vector of both novice and professional cybercriminals. No matter what their motives or what enterprise they target, it is almost always easier to trick an employee than it is to penetrate perimeter defences.

Not only that, conducting a phishing campaign requires almost no technical skill whatsoever, meaning that criminals are free to purchase malware from more advanced people and use it as the payload for as many phishing campaigns as they desire.

Unfortunately, while phishing may boast low barriers to entry for potential cybercriminals, it proves to be a significant headache for security professionals.

Why Technical Controls Are Not Enough

Modern spam filters are excellent pieces of technology, blocking roughly 95% of spam emails. The problem, naturally, is that pesky remaining 5%.

Of course, spam filters are not the only technical controls employed by an average enterprise. In theory, a combination of patch management, antimalware products and white lists would block phishing sites and prevent malware from gaining a foothold. Unfortunately, what works in theory does not always transition well to the real world.

Since most malware takes advantage of known vulnerabilities, perfect patch management should nullify the impact of most attacks. Sadly, once an enterprise grows beyond a few devices and, particularly, once it spreads across multiple sites, perfect patch management is no longer easy. There will always be legacy systems, old devices or compatibility issues that cannot be remediated so simply.

Notwithstanding, the best antimalware product in the world will never be prepared for a zero-day threat. Even if it could be, the very nature of email as a delivery system enables malware to cause significant damage without exceeding the privileges of an infected user.

A ransomware Trojan, for example, can cause tremendous damage, particularly if a highly privileged user is tricked into running it.

Pure phishing emails pose a different threat altogether. Typically targeting login credentials rather than attempting an infection, phishing emails often link to malicious websites designed to look and feel legitimate. Known phishing sites can be blocked, of course, but keeping up with the sheer rate at which new sites are set up is functionally impossible.

Even low-level threat actors can set up phishing sites extremely quickly using so-called “phish kits,” which are often distributed freely via social media. Even worse, when PhishLabs analysed more than 29,000 phish kits, it discovered that more than a third employed antidetection techniques, making the task of blocking sites substantially more difficult.

In the end, security-conscious enterprises must face the fact that technical controls are never totally effective.

As a result, users at every organisation are constantly at risk of being exposed to phishing emails of varying complexity.

“Patching” the Human Vulnerability

No other topic in the security world is as hotly debated as security awareness training.

Some experts argue that training users is usually a waste of money, especially if the user isn’t interested or believes that its the IT departments responsibility.

Other experts argue that since technical controls are never perfect and threat actors consistently target people via technology, user training is an essential part of any powerful security program.

There are, of course, persuasive arguments on both sides of the debate. It is important to remember that, in an ideal world, technical controls should be enough to ensure security, but this world is far from ideal. No combination of security products will ever prove 100% effective and, even if it could, it is highly unlikely that any security budget would stretch to procuring it. The only choice, then, is to attempt to patch the human vulnerability.

Training users, however, does not function the way a software patch would. Modern phishing emails often use varied and sophisticated social engineering tactics to hoodwink unsuspecting users, but there is no pre-packaged product that perfectly resolves human vulnerabilities or even a list of which vulnerabilities exist.

Instead, security-conscious organisations must work to install and maintain a culture that promotes security as a collective responsibility rather than an “IT problem.”

Forget Security Awareness Training

There is one thing that all security experts should be able to agree on is that most security awareness training programs are utterly worthless.

Users are dragged from their desks once a year to sit in a stuffy room while a terrified help desk employee tries to explain why “fluffy1” is not a secure password.

Or, even better, users are told to complete a five-minute online training package and perhaps answer a couple of multiple-choice questions at the end.

Clearly, this approach to patching the human vulnerability is not effective.

The problem, though, runs even deeper.

Think about the term “security awareness training.” Almost everything about it is wrong.

For a start, a typical user will almost always consider security to be an IT function and not something for them to worry about. For the most part, this is true, as no normal user will ever need to understand or get involved with the vast majority of security activities.

Second, what good is awareness? Security is an activity, not a concept, and simply understanding something is not the same as doing it.

There is, ultimately, a huge difference between understanding that not all email is legitimate and being able to identify potential phishing scams. Rather than working to improve awareness, what is really needed is a change in security behaviours.

Finally, the word “training” must be taken more literally. In every other walk of life, training comprises a consistent and ongoing cycle of education and practice, where a built-in feedback loop informs necessary adjustments.

If the human vulnerability is to be patched effectively, this approach needs to be adopted by security training providers.

If the security world is going to start taking user training seriously, a radical shift in perspective is needed. Training programs must focus on only those aspects of security that are relevant to the average user and where a change in security behaviours will directly enhance the enterprise’s security.

Creating a Culture of Security

Of course, creating a culture that promotes security requires energy, careful planning and investment, not to mention a mechanism for tracking improvement.

Given that, beyond simple negligence, malicious email poses by far the most significant threat to the average user, anti-phishing training should take a central role.

So if behavioural change rather than awareness is the goal, how should anti-phishing training be approached?

The first step is simple, and yet regularly overlooked: Obtain executive buy-in.

The thing about behavioural change is that it is not an overnight fix. There is no one-off course, incentive or punishment that can reliably change behaviours in the long term.

As a result, a long-term project, including the investment and resources that go along with it, should be the expectation. For any project to be a success, executive buy-in is essential.

There is a problem with obtaining executive buy-in, of course. Senior executives traditionally do not have a strong understanding of security and may not understand the need for investment in a long-term behavioural change program. If that is true, a strong business case will be required to demonstrate the benefits of such a program. In particular, pains should be taken to highlight the substantial savings associated with a well-structured and well-funded program, which far outweigh the cost of investment.

Over time, once the program is in place, evidencing its continued need through fewer security incidents and lower overall costs will be a simple matter. Such a program’s costs, including tools and personnel, are a fraction of what organisations spend to acquire the latest security technologies (which attackers can then evade by phishing users).

So how can security behaviours be improved? Simple: Regular simulated phishing campaigns should be used to gauge current levels of phishing susceptibility and inform targeted training interventions.

For obvious reasons, this type of initiative should start with a classroom or e-learning session to cover objectives and provide initial training.

After that, once per month (for example) users receive a simulated phishing email. If the email is deleted and reported to their enterprise’s designated phishing team, they are considered to have passed the exercise. If they are persuaded to click a malicious link or otherwise follow the instruction of the simulated phish, they have failed.

As soon as users react to a simulated phish, they are either congratulated or directed to online training relevant to that specific campaign. If the email in question was designed to capture login credentials, for instance, the follow-up training will help users identify this type of phish in the future.

This part is critical. For behavioural change to be achieved, immediate gratification or correction is needed. Not only does this method enable training to be focused on only the users who fail, it also incorporates the most important element in any skill-building program: deliberate practice. For this to be possible, two components are required:

  1. A “Report Phish” button, made directly available within users’ email client
  2. An automated response, designed to congratulate success and provide further guidance in the event of failure

If either of these components is missing, the program’s impact will be substantially lessened.

Beyond this immediate response, it is also vital that the program is not left to function in isolation.

Results, particularly if they are positive, should be discussed during monthly or quarterly meetings, ensuring the subject remains top of mind for users and establishing security as a priority.

Experience shows that, on average, an organisation implementing phishing simulations for the first time will see a phishing susceptibility rate of around 30 percent.

In practice, that means for every 10 phishing emails that make it past the enterprise’s spam filter, three successfully trick users into (for example) following a malicious link.

An example of a typical enterprise with 5,000 employees, where 4,015 malicious emails make it into user inboxes each year, that equates to more than 1,200 serious security incidents annually.

By systematically exposing users to phishing emails of increasing complexity and differing types and delivering relevant multimedia training to users who react in an undesirable way (e.g., clicking links), phishing susceptibility rates can be dramatically reduced.

Again, experience shows that any enterprise can bring its phishing susceptibility rate down to around 5 percent and, in some cases, as low as 1 to 2 percent. Now, instead of 1,200 security incidents each year, it can expect to see somewhere between 40 and 200. Clearly, this improvement facilitates a substantial reduction in incident response costs, not to mention dramatically reducing the chances of a data breach.

The Finer Points of Phishing

In principle, building a security culture based on consistent training and testing seems a simple thing. There are, however, two details that differentiate a truly powerful security training program from one that is mediocre.

When users receive a suspected phishing email, they typically have two choices: Delete it or comply with it. A truly security-conscious culture, though, would provide users with a third choice: reporting the email to a designated response team.

The simple truth is that reported phishing emails are exponentially more valuable than ignored or deleted phishing emails. They serve as an early warning mechanism and provide an opportunity to quarantine similar emails before other users are exposed. They can also be analysed to inform improvements to technical security controls.

Finally, they can be modelled and used to produce realistic ammunition for future simulated phishing campaigns.

Of course, there must be an easy and instantaneous reporting process in place. Most users, no matter how engaged, will not have time to pick up the phone every time they see a suspected phishing email. They will, however, have a few seconds to click on a “Report Phish” button in their email client.

The second detail, which has already been touched upon, is that simulated phishing campaigns must be based on real, recent phishing samples. The whole purpose of a simulated phishing campaign is to test and train users on their ability to identify phishing emails in the real world. However, it is amazing how often these campaigns use outdated phishing techniques that bear no resemblance to those used by modern phishers.

Professional phishers use a wide range of tactics, including holiday-themed scams and seemingly legitimate spoofed email addresses, to maximise their chances of success. Unless a simulated campaign can imitate these techniques effectively, it is unlikely to provide real-world benefits.

While products to prevent phishing attacks exist, a product is not the same as a program. The two details mentioned previously are not accomplished through commercial solutions. Organisations train users but put little focus on reporting threats.

When threats are reported, organisations may not analyse them. And products may craft unrealistic phishing simulations based on news headlines or generic scenarios instead of basing them on real samples.

Building habits

To truly master any skill, a lot of deliberate practice is needed. Building and maintaining a culture of security is no different.

Reducing phishing susceptibility from 30 percent to below 5 percent is achievable for any organisation, but it is not an overnight fix.

Even once the desired rate is achieved, employee churn rates and the inevitable decline of unpractised skills mean that a continued effort is required to maintain it.

This approach, then, must be considered a continual investment in security excellence. Certainly, the reduction in spending on incident response and data breach costs will hugely outweigh the cost of investment, but it must not be considered a one-off patch for human vulnerability.

Instead, the cost of building a culture of security should be considered as necessary as the cost of employee keycards or any other direct cost of employment. Any single user has the potential to enable a massive data breach, and with breach fines reaching new heights every year, enterprises of all sizes have little choice but to take this risk seriously.

Only by investing in employees, rather than attempting to take them out of the equation, can a security-conscious enterprise flourish in the coming years.


Popular Posts