Make Phishing Training More Efficient to Improve Awareness

October 26, 2023 | By Masha Sedova

This piece is part of our ‘Faculty Focus' series, an interview-style article where a member of the IANS Faculty shares firsthand, practitioner-based insights on an infosec topic. In this feature, Masha Sedova discusses common phishing awareness challenges and provides best practices to make the training process much more efficient and effective.

Phishing Training Q&A with IANS Faculty member Masha Sedova

Masha Sedova is an award-winning cybersecurity expert, speaker, and trainer focused on helping companies transform their workforce from a security risk into a key element of cyberdefense. She is the co-founder and President of Elevate Security, delivering a first-of-its-kind platform that enables organizations to identify risky employees, reduce the likelihood of future incidents, and proactively defend their workforce while ensuring a productive business. In 2021, Fast Company named her one of the most creative people in business. Masha has been a member of the board of directors for the National Cyber Security Alliance and a regular presenter at conferences such as Blackhat, RSA, OWASP, and SANS.

Phishing continues to be one of the most common attack vectors for credential harvesting and ransomware. Despite frequent training and awareness simulations, many users continue to take the bait and click into increasingly sophisticated phishing lures. Knowing that all it takes is just one user to cause a crippling organization breach, how can security teams improve phishing training, and what else can be done to prevent the phish from getting through?

 

What are some of the challenges you’ve seen in Phishing Training and Awareness?

Masha: There has been a growing trend of security teams asking ‘what’s next’ for their phishing programs. Many are even questioning whether it makes sense to continue the program.  We can take a look at phishing programs currently in place today to uncover the key challenges confronting organizations:

  • Inaccurate representation of someone’s phishing skills.  Smart employees add a filter for headers like “X-Phish Test” to flag phishing simulations.
  • Easily perceived as antagonistic. Several times a year, security teams make headlines with poorly thought-out phishing tests (layoff or bonus-related templates are frequent offenders).
  • Programs inevitably hit an efficacy floor. Companies see a reduction in clicks in phishing simulations over time until they hit somewhere between a 3-8% click rate.
  • Reduction of simulated phishing clicks is rarely tied to incident reductions. Reduction in clicks does not correlate to other areas such as real-world phishing clicks, account compromise events, data loss events, or other areas.
  • Training, unfortunately, doesn’t seem to play a significant role in altering behaviors. Research shows that almost every employee tends to ignore the training materials, and even if they undergo training, it doesn’t significantly reduce their chances of clicking on a spear phishing email.
  • There are almost no compliance requirements* to run tests (SOC2, ISO27xxx, PCI, HIPAA,).

Keep in mind that employees will consistently fall into three phishing risk types:

  • High Risk = Click regularly, rarely/never report phishing threats
  • Medium Risk = Click infrequently, rarely/never report a phishing attempt. Course-correct actions quickly
  • Low Risk = Click rarely/never, report phishing threats often

 

What are some best practices when launching a Phishing program?

Masha: Security teams can help users improve their phishing detection skills and set them up for success by implementing the following:

  • Ensure tests are benchmarked against previous ones to monitor trends and the percentage of the population in each behavior group.
  • Consider running phishing tests in a "red team" format where employees aren't immediately informed of the test to gauge genuine reactions post-failure.
  • Offer feedback closer to the phishing event, allowing employees a window to report what they perceive might be a potential attack.
  • Figure out how susceptible an employee is to simulated phishing. Even better, also figure out if they are similarly susceptible to real-world attacks and how frequently they may have been attacked.  The faster you can categorize an employee’s risk type, the better you can tailor interventions to them.
  • Determine an employee's behavior category and run phishing interventions tailored to that group. Interventions might look like this:
  • Low-Risk = Reward, recognition, annual reminders, and newsletters about threats.
  • Med-Risk = Schedule 7-11 phishing tests followed up by training.
  • High-Risk = Consider other methods of supporting those users who tend to click on suspicious links more readily. Some suggestions include:
  • Adopting phishing-resistant MFA
  • Implementing password manager use
  • Reduce MFA timeouts
  • Provide a ‘Security Buddy’ for help
  • Initiate 1:1 employee conversations

Implementing a ‘three-times you’re out’ rule and terminating repeat offenders is not recommended. It creates a culture of ‘security fear’ and significantly stifles productivity, putting employees in constant fear of evening opening emails. Instead of seeing repeat offenders as “incompetent” - view these individuals as being more vulnerable and in need of additional security support. They are excellent candidates for additional security measures, controls, and hardware (see paragraph above) to help protect them and the company. Communicate this special support to high-risk employees as necessary protection - similar to more body armor in a combat zone. You will help set them up for success as they will learn how not to place themselves and the business in dangerous situations.

 

What are the lasting impacts and benefits of better phishing programs?

Masha: Most phishing programs will not see a huge improvement jump after the first year. Expect incremental phishing program steps rather than huge leaps, as this training needs to become muscle memory for many employees.  For best results, keep the following program tips in mind to evolve and tailor your phishing program to the organization:

  • A well-executed phishing program should categorize employees into specific behavior groups, allowing for targeted interventions.
  • Targeted interventions let you apply your security resources where you need them most instead of spreading them thinly over the organization with less impact.
  • Looking at incident metrics first and assessing the impact of a phishing program on those metrics allows for a much clearer ROI for a program.
  • Well-crafted programs also provide an opportunity to reduce the number of high-risk employees, minimizing the chances of a successful real-world phishing attempt.

How IANS Faculty Expertise Benefits You

Cybersecurity today is faced with a myriad of complex challenges, and the IANS Faculty will help you make informed security decisions that protect your business.

Whether you need guidance on program direction, a tie-breaking opinion on architectural considerations, tool implementation advice, a comprehensive security assessment, a penetration test, or mapping controls to a regulatory standard, we are a trusted partner to provide the best decision support for your security team.

Our mission is to help you make better, faster decisions, grow professionally, and stay compliant. Get in touch with IANS to learn more about how we can help move your security program forward.


Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.


Access time-saving tools and helpful guides from our Faculty.


IANS + Artico Search

Our 2024-2025 CISO Compensation and Budget Benchmark Survey is Live!

Subscribe to IANS Blog

Receive a wealth of trending cyber tips and how-tos delivered directly weekly to your inbox.

Please provide a business email.