Phishing is a very effective low-cost attack vector that bypasses most traditional detection methods and it has been widely identified as one of the biggest security threats organisations face today. Today cybercriminals will target a specific organisation and develop sophisticated phishing emails in a bid to trick employees into opening malicious attachments. This causes great concern for organisations because not only can phishing can have disastrous consequences on a company, the emails are so cleverly crafted that they are extremely difficult to spot, even to the most well trained eye.
As a result of the rise in targeted phishing scams, organisations must train their staff on how to spot these malicious emails. However, because of the ever changing nature of phishing, training cannot be carried out through simple paper-handouts or within employee handbooks.
The security awareness training needs to be an experience that staff will actually remember and retain. Immersing a human in an experience triggers the brain in a way that traditional training doesn’t – by drawing an emotional response. In complex vertebrates (contrary to wat some in security might say, your users do fit into this category), the amygdala is the area of the brain associated with both memories and emotions. An emotional experience sticks in our memory, making training techniques that elicit emotions more powerful. This is why posters and conventional computer based training fall short.
One method of immersive training to help employees spot phishing attacks would be to send staff mock phishing emails. The staff members that correctly identify the phishing email will be commended and the staff that do not will receive training to help them identify future attacks.
Repeating immersive training exercises capitalizes on a neurological process called long-term potentiation, which is how the human brain forms memories and retains them. Memories form from similar synapses between neurons, and repetition of those synaptic processes cause us to learn and retain information. Conducting annual training will not lead to retention – even if the training itself is compelling – because it won’t be frequent enough to stick in employees’ minds. Whenever we are learning something new, whether it’s to play a sport, instrument, speak a new language, etc. repetition is crucial. It’s the same with teaching email users safe email behaviour, repeatedly conducting security awareness exercises will allow them to make safe email use a habit.
Ultimately, immersing your employees in an experience will improve their behaviour. With that said, here are ways to make your immersive security awareness engaging:
Start simple: For the average user, security concepts are difficult to grasp, so start simple! Sending a beginner down a black diamond trail is a good way to turn them off of skiing forever (or worse, get them injured). It’s the same with security. Don’t trip up your users by starting them off with complicated concepts – get them on the beginner slope.
Be Specific: Hollow platitudes will undoubtedly get your users to tune out. Avoid vague messages like “keep company resources safe”, instead give users specific, actionable information that will help them change behaviour.
Mix it up: How many of you pay attention to the airline safety demonstration prior to takeoff? That demonstration never changes so ultimately people lose interest. Don’t make the same mistake with security awareness. Vary both the content and delivery method of your security awareness to continually engage recipients.
Keep it going: Why is it so easy to forget what you learned in a boring class? After the final exam, you don’t need the information, so there’s no need to retain it. We do know that security is a constant and changing threat; therefore, security awareness needs to be continuously reinforced. By continuously training users at different times throughout the year, safe security behaviour becomes a habit, and not something forgotten as soon as training is over.
Be Positive: It might be tempting to expose the users who are security risks, but in our experience the negative backlash this generates will quickly undermine your security awareness program. Keep things positive by measuring the results of your program and recognizing people and departments who have done well. Educate and support those that need additional help.
Scott Greaux, VP of product management and services at PhishMe.
PhishMe launched publicly in 2008, and incorporated as an independent entity in 2011. PhishMe Incorporated is based in Northern Virginia, just outside of Washington, DC, with staff across the country. Our support, operations and sales teams are headquartered in our Virginia office, with additional offices in New York and London.
Our team developed the PhishMe concept based on dozens of years of experience in penetration testing, social engineering, abuse management, incident response and forensics. As our founding team looked at the results of the annual assessment model we implemented for clients, we realized that to effectively combat phishing attacks, our customers needed to combine compelling exercises with dynamic, immersive training.