Note: The phish-prone percentage is the percent of your organization’s employees who will click on a URL link or file attachment in a simulated phishing email, i.e. the percentage of employees in your organization who are prone to real phishing attacks.
Goal of Security Awareness Training
The main objective of security awareness training is to make your employees have more default skepticism toward digital (and audio) content that has the potential to negatively impact them or the organization. We want to educate users to stop and think before clicking or performing actions that can hurt themselves or the organization.
It’s like teaching a young child to look both ways before crossing a street. Early on, the parent may hold the child’s hand to prevent them from stepping out into ongoing traffic. But, with enough training, that child will automatically, and hopefully for the rest of their lives, look both ways before crossing a street as part of their instincts.
Security awareness training helps everyone in your staff develop a healthy level of skepticism and become very accurate at identifying things that could hurt them or the organization. The main goal of security awareness training is to significantly reduce risk by changing the organization’s security culture.
Education and testing are done on the following timeline:
Social Engineering is More Than Email
With email, SMS phishes, and USB drive openings, the goal of security awareness training is to prevent a user from doing anything beyond looking at an email, message, or drive. Simply opening a simulated phishing email, viewing an SMS message, or looking at a file list on a USB drive is still tracked, but isn’t counted as a “failure” because usually, with rare exceptions due to zero-days, simply doing those things does not allow malicious actions to be executed.
It’s not good enough to simply not perform a negative action; we want employees to report all potential maliciousness to the organization’s security review personnel. This is the only way the organization can get an accurate picture of what types of social engineering and phishing are being performed against the organization. Without constant reporting, an organization may never know when it is being targeted by a crimeware group or nation-state attack.
PAB is a separate installable program that can be integrated with Google Gmail or Microsoft Outlook email clients, including browser and mobile versions. If a user suspects that a phishing email is a simulated or real phish, they can click on the PAB, and the email will be deleted from their inbox and a copy is sent to a predefined email address where all suspected phishes are collected and can be investigated.
Ongoing and Targeted Security Awareness Training
All employees should take one or more longer training sessions to communicate a broader range of cybersecurity safety issues. This should ideally occur when first hired and at least once each year thereafter. Additional targeted training is done based on the data collected from the simulated phishing campaigns and testing.
Here is an example of longer, annual training content.
Here is an example of new-hire training content.
Training topics include a mix of general, randomized, and targeted training issues, similar to the topics that real-world phishers will foist upon your end-users. Training is modified based on the results of previous testing and education, popular phishing trends, required custom corporate training, seasons, events and roles. For instance, around tax time, employees are more likely to get real-world phishing that is looking for their personally identifiable tax information.
Your organization’s logo can be placed on many pieces of training content (as simulated below).
Simulated Phishing Templates
Templates include static text and images, as well as dynamic fields, which can change based on the intended recipient, such as the name used in a personalized greeting. Managed services loves to do custom templates based on what the customer’s organization has seen in real life. Here are some example simulated phishing templates.
Overall, the goal is to get all of your users to a point where they require higher levels of phishing sophistication to be fooled, moving them step-by-step to higher levels of difficulty based on their unique previous simulated phishing test results (as graphically shown below).
Users who are clicking on or responding to simulated phishing campaigns (known as failures) will, by default, be sent to a selected landing page, which lets them know they failed a simulated phishing test and will most often let them know the red flags of phishing that they should have seen to alert them to the fact that it was a simulated phishing email. Below is an example landing page.
A big part of security awareness training is educating people about the red flags of social engineering, and doing that in the moment that someone fails a simulated phishing test is crucial to their learning.
The cybersecurity risk of each individual user and the aggregated cybersecurity risk of the entire organization can be calculated and tracked. A personalized risk score is generated for each user based on their simulated phishing tests’ successes and failures, training completion, job function, and custom booster score that the organization can add. All of the personal risk scores can be aggregated on a per-business-unit basis or for the entire organization. Here is an example of an organization risk rating.