January 25, 2024
Matt Cox is the director of internal systems and security at Mindsight. When it comes to security training for employees, he thinks most companies get it wrong by focusing on ineffective methods and largely meaningless data. We asked him to share some of his tips and insights.
Security training is about much more than sending out simulated phishing emails and counting clicks
Most companies attack security as a compliance issue or a KPI, so they push out training and send simulated phishing emails. I caution people to not use the click rate as the only indicator of how your training program is working. If you know your click rate for the simulated email went up this month versus last month, does that mean your employees got dumber? I don’t think so. Maybe it was the type of phish you sent or when you sent it. Maybe it was the call to action or who it was from. If you get an email that says it’s from your boss, you’re more likely to open that.
And, often it’s only the people who click on the training links who get more training as well as admonishment by their managers. But looking only at the percentage of users who are clicking on phishing links is a reductionist view of security awareness training and misses the point. It’s also counterproductive in the long run. I’m not saying that we shouldn’t do security awareness training, by any means. A large number of breaches begin with phishing emails—even though companies continue to send out simulated phishing emails in an attempt to prevent breaches. So something’s not working, and I think it’s the mentality that training users will eliminate phishing as a threat. It won’t. And just telling employees, “Don’t click links,” isn’t going to work.
If all we’re doing is teaching them how to identify phishing emails, we’re doing the whole company a disservice. These are the people who are on the front line. And they’re not security professionals. They should be trained on multi-factor authentication, password hygiene, the risks of using public Wi-Fi, and social-engineering techniques. There’s a broad spectrum of security awareness training that benefits employees personally and, in turn, benefits the company. So it’s got to be much broader than it is.
Implementing broader security training
Implementing broader training requires you to use a training program that applies to all of your employees. One mistake organizations make is they send out phishing emails, and only the people who click the links are sent to training. But now you’re only training a subset of your users and doing the rest of your users a disservice by not offering them training. Another mistake is sending employees to an hour-long PowerPoint training seminar once a year. Do you remember anything you learned in a class a year ago? You’re wasting everybody’s time. And it costs money to run that program, so you’re ultimately getting very little net benefit.
People will remember the lessons in that class for maybe a week or two. After that, they’re going to go back to their old ways, because most people don’t think like security professionals. A lot of people get compromised after clicking on malicious phishing emails because they were distracted. I went to a seminar two years ago where an employee of a security awareness training company confessed that she fell for her own phishing email because she was climbing into a cab and reading her email at the same time. And that’s what criminals are taking advantage of. That’s why training has to be more in the moment. It’s got to be more directly relevant to people. And they have to be positively engaged with the content. Then, in the moment, they’re more likely to make a more security-aware decision.
Examples of engaging security training content
Some of the content that we put out at Mindsight are interactive games that give users positive reinforcement if they “spot the phish,” among other things. Some vendors offer a training leaderboard where they’ll show how many people have completed their training in a certain period of time. At Mindsight, I’ve divided it up into departments, and I send out that leaderboard information monthly showing who’s behind and who’s ahead. That inspires a bit of competition. And while I don’t think you want to gamify everything, you’ve got to find that content that works for your users.
But not all content is going to work the same. Some companies have a more formal culture, so you’re going to have to tailor your training to be more in line with that company culture. Every month, I’m looking for new content. And because we’re a midmarket company, we use the same training for everybody. A large organization will probably want to break it down and tailor the training so different departments—the C-suite, software developers, help desk people—get training that’s specific to the types of risks they’re most often exposed to. You also have to talk with key decision-makers about why this kind of training is so important. Why is 10 minutes of employee training time every month worthwhile when they could be doing something else that’s productive for the company? Ultimately, it goes back to the cost of a security breach.
Ignore clicks but track phish reports
The click rate is almost meaningless because I can craft the phishing emails to drive that click rate down. I can make it zero if I make the phishing emails so obvious that no one is fooled. I can also get it close to 100% if I spend enough time crafting phishing emails that will fool everyone. But that’s not an accurate measurement of your employees’ security awareness, and it’s not a meaningful one—other than early in your training program when you’re just trying to get a baseline response. Over the lifetime of your program, I would argue that you want to try to drive your click rate up. If you’re driving it down, that probably means employees are onto your tricks. But attackers aren’t getting dumber, they’re getting smarter. In fact, soon enough they’re going to be launching very convincing phishing campaigns using artificial intelligence. Still, a lot of large organizations don’t want to drive their click rate up, because they’re not going to be able to explain it to the C-suite, which relies too much on KPIs.
These numbers have meaning, but they shouldn’t be the driving force behind your security program. Reporting rate trumps click rate every time. So instead of punishing your users for clicking on simulated phishing emails, you want to encourage them to report those emails to security professionals who can leverage that information to improve a business’s security posture. Because, ultimately, you want them reporting real phishing emails. If they’re in the habit of reporting in general, they’re more apt to do that. It’s also a matter of identifying who is actually clicking on real phishing emails so you can launch an incident response. If I know that someone clicked on a real phishing email and may have compromised their system, that’s my opportunity to contain the threat instead of waiting for an attacker to establish a foothold in my network and keep moving. If you build a security culture where people aren’t afraid to report, you’re doing the business — and them — a huge favor. If you’re punishing users because they click links and sending them to remedial training, they’re not becoming a security asset because you’re treating them like the problem. You want them to be part of the solution.
Mindsight is industry recognized for delivering secure IT solutions and thought leadership that address your infrastructure, cybersecurity, and communications needs. Our engineers are expert level only – and they’re known as the most respected and valued engineering team based in Chicago, serving medium-sized to enterprise organizations around the globe. That’s why clients trust Mindsight as an extension of their IT team.
Visit us at http://www.gomindsight.com
About The Expert
Matt Cox is the Director of Internal Systems and Security at Mindsight, and has over 20 years of experience in Telecommunications, Information Technology and Network Management. In his role at Mindsight, Matt has the uncanny ability to communicate complex technical ideas to a broad audience. He is passionate about information security and using technology to improve business outcomes and is currently pursuing CISSP certification. When he’s not focused on the hyper-technical, Matt enjoys boating, fishing, and lock picking.