Much of security awareness training is basic math when what is required is advanced calculus. You don’t have to be a high school pre-calculus teacher to guess that not everyone is equipped for that kind of challenge.
That’s why organizations need to rethink their strategy and investment when it comes to user training, particularly anti-phishing training. While the notion behind substantial investment in user training comes, theoretically, from a good place, the more security awareness training employees have, the less chance of them falling victim to an attack. The reality is humans will never be as effective at stopping most attacks as technology, and companies should calibrate their investments accordingly.
I’ll use myself as an example. As an industry executive, I’ve spent decades steeped in technology and information security. When I was serving as a CEO a few years ago, I received an email that appeared to come from my CFO with a link to click. It looked legitimate, and I probably would have more seriously considered clicking the link if the email hadn’t called me Robert rather than Rob, which set off an alarm bell. But what if I did more commonly go by Robert? Would I have clicked what turned out to be a malicious link? The fact that I couldn’t say for sure was unnerving and brought to mind that if even a security-savvy industry veteran like myself isn’t immune to potentially falling victim to a phishing attack, training all of a company’s typical users to detect such attacks all the time is overly optimistic.
While I believe in providing some user security awareness training on an ongoing basis, and am a big believer in supporting leading industry certifications, I have concluded that any program aiming to train users to accurately detect all phishing attacks will fail. This is especially true in an era when artificial intelligence has allowed cyber-criminals to increase the sophistication of their attacks. To the extent that awareness training is provided, it is better to delineate different types of training that might be better suited for different kinds of roles. We need to make training targeted to tasks we can realistically expect people to do, like two-factor authentication, but when we try to turn average users into our intrusion detection system, that’s asking for trouble.
We’re much better off leveraging technology for such cases. So, what works well to prevent phishing attacks? Most enterprises implement endpoint protection, including malware detection and prevention. Endpoint detection is a solid place to begin but should not be the totality of anti-phishing efforts. Endpoint detection can effectively be supplemented by email technologies that block potentially malicious emails or mark them as suspicious (one drawback: there are occasionally false positives that block legitimate messages). Additionally, technologies such as web isolation, which separates the browsing session from the user, and app-trust listing – similar to traditional whitelisting but more robust and easier to manage – are worthwhile considerations. I recommend using an app trust-listing solution with multiple methods and certificate checks to determine if the code can be trusted.
As I mentioned during a session alongside my co-presenter, Jenai Marinkovic, last month at the RSA conference, we should steer clear of spending scarce dollars on things that don’t work. Although cybersecurity budgets are generally on the rise, according to data from the ISACA State of Cybersecurity 2022 report, budget dollars are still precious, especially at a time when companies need to ante up on the salary front to retain key performers in a fast-moving job market. That makes any inefficient use of funds for the security program especially problematic, and pouring resources into trying to teach users to thwart sophisticated cyber-threats qualifies as highly inefficient.
The bottom line: Don’t invest major budget dollars trying to train users to do something that technology does better.