Chris Clements, VP of Solutions Architecture

October 18, 2024

Because of the frequency of phishing attacks landing in user mailboxes and the severity of the consequences of a user falling for a lure, any improvement at all can make the difference between an organization suffering a breach. 

Detrimental Best Practices

One of my biggest pet peeves is compulsory activities that not only don’t make a meaningful difference but can be actively harmful.  In education it can be rote memorization without learning concepts or context.  In sports, static stretching that for many years was considered a requirement for avoiding injury, actually lowers muscle strength and increases the risk of injury. In cybersecurity, our example could be a tabletop exercise that doesn’t actually game out how real breaches happen. Then everyone pats themselves on the back and goes home not actually having accomplished anything of substance.  Call it “cargo culting”, “zombie ideas”, or “detrimental best practices,” these activities range from annoying to actively counterproductive.   Lately though, it seems like some in the cybersecurity field are lumping security awareness training – especially phishing simulations – into this category. 

Expecting More from Your Chocolate Teapot

Common criticisms include that it’s like teaching people to swim by occasionally pushing them into a pool filled with rubber sharks. Sure, it might seem like a good idea at first, but it’s not without its issues. For starters, it can give folks a false sense of security, like thinking you’re ready for the Olympics after doing a few laps in your backyard pool. Then there’s the morale problem – nobody likes feeling like the office dunce when they fall for a fake email. It’s about as fun as realizing you’ve had spinach in your teeth all day after getting out of an important meeting. Yet another argument I’ve heard is that cybercriminals are more persistent than telemarketers during dinner time, and they only need to get lucky once. So, while training is great and all, expecting it to create an impenetrable human firewall is like expecting a chocolate teapot to hold hot water – it’s just not gonna happen.  And look, I get it.  It is true that nothing is perfect and done poorly, almost any type of training can be useless, but I object to the notion that the practice of phishing simulations fit into this category innately for one big reason: frequency.

Preparing for the Stooges

Cinema aficionados know that the best defense for the ole “double eye poke” gag is a flat hand sideways in front of your nose, but I doubt many of us get a lot of practice being ready to zip it in place for a timely block because, well, we don’t regularly have Moe Howard popping in from around the corner.  The problem is that with phishing, many users are going to run into not just run into Moe, but also Larry, Curly, and Shemp for good measure every single day.  Regardless of the business you are in, where you are located, how large your organization is, or what technology you use, phishing is very likely to be the number one attack technique directed at you.  Phishing unfortunately has a mix of ease and effectiveness that make for a compelling vector for threat actors.  Why spend the time and effort to buy or develop a new exploit when you can generate and send millions of phishing emails?  Sure, most are likely to get flagged by spam and email security systems, but sooner or later you can be confident that one will land in an unsuspecting user’s mailbox, and sooner or later you know you’ll fool a user into opening your malicious attachment or giving you sensitive data like their login information.  For most organizations, most of the time, the main initial vector for compromise is phishing and it’s not even close.  The numbers vary across different companies, but past Deloitte estimates imply that phishing is the initial access vector for a whopping 91% of cyber breaches. 

Buckle Up for Safety!

The only other analogy that I can think of where the main contributing factor that didn’t get taken seriously enough for a long time is seatbelts.  For years after their introduction, many people didn’t want to wear them citing issues with comfort, wrinkling clothes, or fears of being trapped in an accident.  While these complaints are real, the frequency of driving fatalities that could have been prevented by wearing a seatbelt properly was staggering, but at the same time, adherence to using them was low.  But then something interesting happened.  When the news would report on a traffic accident, they started adding in language about whether or not the car’s occupants were wearing seatbelts or not.  Over and over it seemed like anytime there was serious injury or worse, the common thread was that the vehicle’s occupants were not wearing seatbelts.  Combine that with other awareness campaigns and even compliance laws, and now it is rare to encounter situations when putting on the seatbelt isn’t an immediate step before traveling in a car.  No, seatbelts weren’t a complete panacea.  We still needed to make cars safer, and add additional safety features like airbags, but the simple step of encouraging passengers to “Click It” resulted in a staggering drop in serious outcomes from auto accidents. 

Cybercriminals Evolve Faster than Pokémon

Because of the frequency of phishing attacks landing in user mailboxes and the severity of the consequences of a user falling for a lure, any improvement at all can make the difference between an organization suffering a breach. 

Quality Matters: To get the most out of your training, it’s crucial to be thoughtful on how organizations approach awareness training…

Do:

• Mark external emails clearer than a neon sign in Vegas. “CAUTION: OUTSIDER ALERT!” – this version might be overkill, but you get the idea.
• Train employees on common scams. Think of it as “Scam Appreciation 101.”
• Test scenarios like fake password resets. It’s like a fire drill, but for your inbox.
• Ensure users understand how to verify anything they are unsure of, and know the “trusted paths” to safely get to the real people or websites they intend to interact with.
• Keep your training fresh. Cybercriminals evolve faster than Pokémon – stay ahead of the game!

Don’t:

• Turn training into a daily chore. Nobody wants security awareness with their morning coffee… every single day.
• Wait so long between training sessions that employees forget passwords are not supposed to be “password123.”
• Punish mistakes. We want a “see something, say something” culture, not a “hide under the desk and pretend it didn’t happen” one.
• Use real money or gifts as bait in your phishing tests. It’s like fishing with dynamite – effective, but ethically questionable and likely to leave a mess.

My team and I spend a lot of time with our clients coming up with the best ways to prepare their employees for the eventual real phishing email that will turn up in their inbox. We’ve had our greatest successes with organizations that treat their colleagues like adults who are part of the solution to keeping their workplace secure. By giving them regular exposure to convincing fraudulent emails, the right incentives to think before they click, and the occasional “neon sign” blaring at them, we have seen phishing test scores rise. No swimming test required.

About the Author

Chris Clements, CISSP, CCSA, CCSE, CCSE+, CCSI, CCNA, CCNP, MCSE, Network+, A+, began working in the information security field in 2001, and has a wide range of experience with information security technologies including: 

• Firewalls
• Intrusion Protection Systems (IPS)
• Intrusion Detection Systems (IDS)
• Virtual Private Networking (VPN)
• Anti-Malware
• Strong Authentication
• Disk Encryption

Chris is also an expert in information security design, security compliance, and penetration testing (ethical hacking) techniques such as: 

•  Vulnerability Assessment 
• Man in the Middle Attacks 
• SQL Injection 
• Cross Site Scripting 
• Phishing 
• Secure Environment Breakouts 
• Privilege Escalation 
• Password Interception 
• Password Cracking 

He has worked to secure hundreds of customers across North America, from Fortune 500 companies with billions in revenue to small businesses with just a few users.  He has developed in-depth security auditing and penetration testing products and service offerings and engaging end-user security awareness programs.  Chris also enjoys teaching and has led courses on information security for hundreds of students.  With his unique skill set and background in both technical operations and business management, Chris has strengths in business management, sales, and product and service delivery. 

The post Is End-User Cybersecurity Training Useless? Spoiler Alert: It’s Not! appeared first on CISO Global.

*** This is a Security Bloggers Network syndicated blog from CISO Global authored by hmeyers. Read the original post at: https://www.ciso.inc/blog-posts/is-end-user-cybersecurity-training-useless-spoiler-alert-its-not/