We train our employees every year, so why do they still fall for phishing scams? Is a zero-click rate on phishing simulations a realistic goal? If employees are going to click on a phishing link anyways is training even necessary?
Our latest Wizer panel explored what can be done to reduce the risk of phishing attacks from different perspectives from IronVest's Michael Snape, Dolus Advisors Dr. Alexander Stein, Associate Director of Information Security Amy Dearwester and Wizer's own Gabriel Friedlander. These experts represent the people, process, and technology to provide some great insights into phishing attacks and prevention.
Phishing Awareness Training In The Time Of DeepFakes
Deep fakes are no longer the future but a very real and growing reality as technology quickly becomes more believable and accessible to the everyday online criminal. How do we equip end users to protect against a perfectly composed email or a phone call that sounded like the CEO? How does the rise of AI and deep fakes impact how we train our employees?
Michael Snape, Product Lead for Email Security at IronVest, commented that "it's incumbent upon us to empower employees or colleagues in whatever way that is going to be most effective. Often, that isn't just one-way [communication]. We’re seeing a multi-layered approach is best with education, awareness, and training but with a technological aspect to that as well. The threats are not going to stop at deep fakes, you know. Tomorrow there's going to be something else that's going to be tripping us up and as the good guys, we have to be ahead of these kinds of attacks."
Dr. Stein added his perspective as an expert in human decision-making and behavior that "There are very few defenses against really effective deception. Fraud is perhaps the world's oldest profession. So to Michael's point, empowering everyone and certainly not blaming them for falling prey to effective deception is important....Cybersecurity is a human issue that involves technology, not a technology problem that is solved technocratically."
How Does Culture Prevent Effective Deception?
How a company handles reporting and incidents plays a critical role in how comfortable employees are to report suspicious messages or admit unintentional incidents. Amy Dearwester, Associate Director in Information Security in the Financial Sector, stressed the security team's role in providing essentially a good customer experience to end users as those interactions can make or break the collaborative effort required for effective and timely reporting and incident response and a general increase in positive security awareness mindset.
In relation to security culture, she observed also the necessity of security being prioritized from leadership down throughout the organization. "If you don't have it, you're not going to get those behaviors that you want. As far as culture goes, that's the thing we need to focus on - what behaviors do we want our people to have, and how do we enable that?"
When a supportive and positive experience between the security team/IT department and the rest of the organization is not fostered then unintended effects can rise up that hinder security. Such was the case in Amy's example of employees being penalized for clicking on phishing links or not reporting concerns - users simply decided to spam the IT team with any and all email regardless of the legitimacy of a potential phish.
How Can Technology Empower Employees Beyond Simply Protecting Them?
With the meteoric rise of ChatGPT and other AI tools available, phishing attacks will only become more sophisticated via the inbox as well. While regular email gateways provide a layer of protection employees are unaware of, Michael provided insights on one way technology can do more in the realm of working together with the end user. "There's no one solution - you can't just rely on technology, you can't just rely on the human aspect, either. Solutions that bring the human and the technology together are the ones that are most effective in protecting the organization."
As we know more sophisticated phishing attacks fly under the radar of typical email gateways but utilizing tools that alert the user in real-time with additional information about why an email might be suspicious enables the human and tech elements to work together. Regardless of the tool implemented there also incorporates the security culture that can strengthen an employee's mindset toward better security decisions. Michael added "As company leadership wanting to emphasize culture, [consider] what tools are we giving our employees, how are we presenting this? Are we presenting this as something that we are giving to protect you? ...It's just going to get more and more difficult for employees. So, having those layers - having a technological layer in there - that's just absolutely critical."
What Skills Are Missing in the Cybersecurity Team DNA?
Traditionally, most members of the security team come from a very technical background. However, as the overall approach to security becomes more holistic to include more emphasis on the human element including the psychology behind user behavior, a diversified skill set is a necessity to drive culture and behavior change. Dr. Stein noted that it is important to continue to build out awareness within the security domain itself. To add to that, incorporating a security approach that integrates both technology - to allow for guard rails for human interaction - and behavioral experts to assess and address the actual human actions that subvert the technological guard rails requires a multi-disciplinary team by design.
"Understanding the all too crucial human element in the security realm means that the decision makers - of policies, procedures, designs, technology, every aspect - need to know about other things besides what they're expert. There should be partnerships in-house or brought in externally as the case may be, to make everything much more robust. Otherwise, it is a form of unwitting technical debt."
There is no one-size-fits-all approach to what a multi-disciplinary team looks like as each organization has a range of goals, needs, challenges, and existing skill sets, however, Dr. Stein encourages businesses to incorporate some element of expertise that can focus and evaluate the human aspect to help security teams better understand what they're trying to solve for and how to include human design into the end result; to provide "an understanding of the human component, and not just human user interaction."
Be able to design systems that account for normalcy, not an ideal version of human behavior. - Dr. Alexander Stein
Affect Change Through the Home
It's not news to security teams that attackers will target an employee's personal device as a stepping stone to getting into the company systems, but how do we affect change for employees to secure their personal life as well?
Amy is passionate about this approach and focuses a lot of effort and resources on making security personal.
“If you develop good security hygiene in your personal life, you’re going to bring those habits to work...The family is a big soft spot for people, right? So, if I tell them, 'Hey, here's training on how you can keep your kids safe at home, more people are going to watch that, right? Because [they think], 'I need to know that information to keep my family safe', so I like to give people that."
Michael actually suggested an opposite viewpoint, "...at work, if we can encourage employees to learn and to act in the right way to create the right habits, they will then take those home. So what I love about tools like Inbox Guard is that it's in the user's face. It's something that they see, it's something that they interact with, and it certainly changes their behavior over time. Compare that to some behind-the-scenes tools, like a secure e-mail gateway, where the user doesn't even know that they're being protected. So I think we've got a very important role to play in the workplace to educate, encourage the right behaviors, and get in front of our users. They then take those back into the house and help protect themselves and their family."
"Post-pandemic, the answer to what’s the difference between work and home is harder to delineate but in any case, there really is no true difference…people are people", Dr. Stein commented. "You may have a social persona that is part of your professional self but you are still who you are. ..the fact that organizations are still working to make this point means there is still a ways to go to get people to understand what they’re doing at work and what they’re doing at home are really no different."
Security As A Benefit, Not a Chore
It doesn’t make sense that we view security awareness as a chore or compliance checkbox. According to Gaby, we're not presenting it accurately - that security (and awareness training) is a benefit. "Companies and vendors have an opportunity to make security a benefit and not a chore. It’s a huge opportunity because we can impact people’s lives. Give every employee the tools, in my opinion, to go home and become an ambassador of security awareness and make this a basic life skill for their kids, their parents, for themselves, their spouse, because it is a benefit."
"...It doesn’t matter if you drive to work or vacation, we want to be safe regardless, it doesn’t matter where the destination is. Security culture starts at home but companies have the opportunity to make a huge impact in their employees' lives, they just need to change their mindset about approaching [security awareness]."
Are KPIs A False Positive?
While it's important to have clear goals and established KPIs to help measure success, measuring a healthy or improving security awareness program and/or culture can be a bit difficult to quantify with straightforward data.
Naturally, tools will have reporting available to begin to fill in the data for measuring success. From the technology side, Michael notes, "We see it every day...hundreds of attacks that we stopped, that our technology stopped, and there's nothing more rewarding than that. And that's something that you can take your board and say, look at this, this is the consequences. This is the ROI right there.... just having these kinds of conversations is super important as well; raising that awareness, making sure that we all know what we're facing - the breadth of the problem - but also where the solution lies. All of that is super, super important."
Gaby observed many times security teams focus too much on phishing clicks or reporting as their guiding light or they're attempting to achieve an unrealistic KPI such as 0 click-through rates or similar. The reality is, many factors can affect these types of KPIs different levels of stress at any given time, different personality traits and vulnerabilities, what's happening within the company, even the type of phishing simulation template used, etc. Instead, he offered the value of measuring the number of request tickets or individuals proactively approaching the security team for assistance, "When there is security culture in the company, you would probably want to see more people coming to you from the get-go when starting projects [instead of an after-thought]. Count the amount of tickets, or the amount of cases or the amount of help people who are coming to the security team, and requesting for help."
Amy emphasized the importance of first identifying what behaviors you want to happen - with direction coming from the Board - and laying out steps on how you're going to impact those behaviors. It can be as basic as starting with phishing simulations and tracking the data there but as the program matures, more robust and less easily quantifiable metrics will begin to enhance the end goal.
Dr. Stein added, "Success in this space is often defined as "nothing happened"; and 'nothing' is difficult to measure tangibly as 'something'. [That's why it's important that] not just the board but to everyone involved to really be stakeholders and help them to understand what they can do instead of relying on [technology alone] so they know that 'creating nothing' is a big 'something' that they contributed to."
Resources From Our Panel
Connect with Amy Dearwester on LinkedIn and hear more of her insights from another Wizer interview, Undermining Security Awareness - Interview with Amy Dearwester
The Brief - A curated digest of thought-leadership and analysis connected to Dolus Advisors’ work focusing on leadership, decision-making, and organizational issues involving complex psychological underpinnings.
- Free Security Awareness Videos
- Progress Reports and Certificates