Cyren CSO Lior Kohavi on improving Security Awareness Training
"One way to improve the outcome of SAT is to minimise the passive training aspect..."
An organisation’s employees are seen as a major security gap by cyber criminals, and most attacks relentlessly target the workforce as a way of getting around defensive solutions. This most often comes in the form of phishing emails, writes Lior Kohavi, Chief Strategy Officer & EVP Advanced Solutions, Cyren, with criminals exploiting legitimate services to send large numbers of increasingly targeted malicious messages disguised as trusted contacts. A single click on a link in a seemingly genuine email is all it takes to trigger a serious security incident that could cost millions of pounds.
Phishing attacks are the most common form of cyber threat today, with 83% of businesses experiencing an attempt in the past year. Criminals love email for the same reason legitimate business people do – it’s a cheap and reliable means of reaching a large number of users with no prior contact.
Many businesses are attempting to counter this threat with user education and awareness training, but with so many successful attacks making the headlines, it’s clear the approach is not working.
Indeed, clumsily applied attempts to educate personnel can make things worse, alienating the workforce and making them feel like they have been painted as the problem, not the victim. To effectively fight the threat of malicious emails, employees need to be treated as trusted allies, not the cause of the crisis. An employee base that distrusts the system is an army of users that will seek to work around IT systems when the real phishing emails arrive – and they inevitably will.
So what is the best way to get employees onside as part of the solution?
SAT - the right approach for the wrong reasons
One of the most widely used approaches for boosting user awareness is to conduct Security Awareness Training (SAT) for email security. These training sessions generally cover key areas such as identifying the most common phishing techniques, processes for reporting suspicious emails and best practice for handling requests like payment transfers.
While such training can certainly make a difference in the workforce’s ability to spot phishing tricks, SAT is all too often delivered in an ad-hoc manner, rather than being provided regularly as part of a structured plan.
This may be a hasty reactive measure in response to a security incident occurring. Or more often, SAT is simply seen as a quick box-ticking exercise to meet compliance demands, with decision makers more concerned about paying lip service to satisfy regulators rather than the actual impact on their security posture.
Either way, this frequently results in businesses choosing the easiest and lowest cost option, rather than a more in-depth, bespoke approach that is more likely to address their unique needs. What’s more, the SAT course will likely be delivering the bare minimum needed to meet compliance needs, rather than being the on-going commitment needed to make a real impact on staff awareness. While employees will pick up some useful knowledge, regularly scheduled sessions are needed to really internalise a security mindset.
Casting personnel as part of the problem
Not only are these sporadic sessions less effective, but they tend to inadvertently position the workforce as the source of the issue. This leaves staff feeling as though they are being blamed and found at fault, and disgruntled employees are less likely to effectively engage with the training and take the information on board.
With a sense that the spotlight is on them, it can lead to employees feeling uneasy rather than encouraged. We also often see staff viewing the SAT training as a test they must pass, concentrating on impressing their peers and managers, rather than the actual purpose of mitigating email security threats. This frequently leads to an increase in reported malicious emails, but with a high level of false positives which drain IT and security resources.
Instead, businesses need to look for more engaging strategies that will help employees to feel more constructive and useful when it comes to email threats.
Empowering the workforce with crowdsourcing
Security awareness training is often less effective because sessions frequently involve employees being bombarded with information without the chance to internalise it. Even with a regular schedule of training, much of the knowledge will be lost as staff get on with their busy working days, and bad habits will start to sneak back in. Likewise, when a SAT course includes simulated phishing attacks, the result might provide interesting statistics, but will do little to improve user awareness on its own. People will usually skim by the follow up education section in seconds as the spot tests feel like a waste of time. A more effective combination of user and machine intelligence is required.
One way to improve the outcome of SAT is to minimise the passive training aspect and augment activity with a crowdsourced approach to email security. This involves providing the workforce with the knowledge and tools to spot and stop malicious emails directly. Arming all staff with such a solution will enable them to do a quick sweep of their inbox at the push of the button, flagging any emails which have suspicious properties that could indicate a malicious imposter.
This puts the power in the users’ hands, enabling them to deal with the issue directly rather than waiting for the IT or security team to get back to them. Rather than treating each malicious email in isolation, a crowdsourced approach means reports from each user are collated. This collective intelligence can then be used for automated remediation, as well as informing both email security tools and decision makers charged with creating frameworks and strategies. Plus, this all takes the pressure off the Security Operations Centre (SOC) team, as they can spend less time chasing down and investigating phishing emails and concentrate on more high-value activity.
This is also beneficial for employees themselves. It helps provide practical reinforcement for theoretical knowledge gained in training sessions, and it goes a long way to recasting employees as part of the solution, not the problem. All users know that they are making a valuable contribution to keeping the business safe.
Collaboration is key
As criminals continue to deploy malicious emails designed to slip past defences and exploit employees, implementing regular SAT sessions can help to mitigate the threat. Getting them up to speed on common tactics improves the chances that users will identify and flag phishing attempts rather than blindly complying with a demand that appears to be coming from a senior executive.
Combining this training with a crowdsourced approach will underpin the improved awareness and keep it front of mind, rather than leaving it to be one more thing that fades away as workers concentrate on their job roles. Armed with the knowledge, and using it directly, employees can form a human firewall that provides an additional level of defence.
Further, this crowdsourced intelligence can be fed back into detection solutions, improving their ability to automatically identify and remediate malicious email, including those with the latest evasive tactics. This approach will have an immediate real-world impact, with users supporting real changes that actively thwart attacks, rather than putting them on the spot as the cause of the problem.