Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Don't Make Security Training a 'One-and-Done'
Newest First  |  Oldest First  |  Threaded View
Elephant man
50%
50%
Elephant man,
User Rank: Apprentice
12/19/2019 | 8:16:13 AM
Phishing Awareness warrants a dedicated Fully Managed Solution
Well written and insightful article on overall user awareness. However, this is really geared towards big Fortune 500 corporations with huge security teams and budgets. But for the rest of the world with a limited budget and resources there needs to be a better and more affordable approach specifically geared towards phishing as a problem.

Phishing alone is growing so rapidly in volume and sophistication that it requires a dedicated 'Phishing Awareness" approach. I am seeing a huge jump by industry into the phishing simulation market. It seems that everyone is offering a platform to run phishing campaigns now. Businesses offering this love the licensing/Subscription model where you supply a COTS tool to the client and they have to run everything themselves. It is favorable to business because this model is scalable to meet the demand created by sales/marketing and it also creates a sellable asset for the company. The problem lies in the fact that these companies then become sales organizations - not Value providers.

With Phishing Awareness specifically this model is extremely flawed. The gap between the levels of sophistication of real attacks versus what an administrator working with tools can manage is huge and growing rapidly. Add to this the attempts to educate employees with 10 different "security awareness" topics and you just confuse people with rocket scientology. I saw one marketing campaign recently where the provider is flaunting 500+ training modules,videos and games. What the hell do you do with that as an administrator? 

The industry knows this and some will claim that the Phishing simulations are merely a tool to gather metrics on the overall security awareness effort. Look, Phishing is a big enough problem in itself that it warrants a dedicated fully managed and coordinated program by a provider with experience. Experience in creating a coordinated series of phishing campaigns that ensures that the gathered metrics are comparing apples to apples. And that these metrics come from a methodology that guarantees results. This is not easy by any stretch. Giving someone a tool with a thousand simulations that vary from ridiculously easy to 'moderately' difficult is not enough. You need a managed service with simulations that are customized to your organization and range from easy to extremely difficult. This can't be done by an inexperienced administrator playing with an overwhelming platform.

Here is the big secret....I can tell you first hand that a well coordinated and fully managed program matched to an organizations culture and needs can reduce the click rate by over 90% with simulations alone - in one year. Add a Phishing training module to address the identified weak links (clickers) and you can drive continuous improvement....no rocket scientology needed. If you are looking to adress Phishing specifically then don't play into the hands of businesses trying to sell you a tool you have to put at least one dedicated salaried admin on who then has to spend a year learning the hard way with poorly chosen campaigns.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26564
PUBLISHED: 2021-07-31
ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFil...
CVE-2020-26565
PUBLISHED: 2021-07-31
ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data.
CVE-2020-26806
PUBLISHED: 2021-07-31
admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code.
CVE-2021-33617
PUBLISHED: 2021-07-31
Zoho ManageEngine Password Manager Pro before 11.2 11200 allows login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName= username enumeration, because the response (to a failed login request) is null only when the username is invalid.
CVE-2021-27491
PUBLISHED: 2021-07-30
Ypsomed mylife Cloud, mylife Mobile Application:Ypsomed mylife Cloud,All versions prior to 1.7.2,Ypsomed mylife App,All versions prior to 1.7.5,The Ypsomed mylife Cloud discloses password hashes during the registration process.