Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Don't Make Security Training a 'One-and-Done'
Oldest First  |  Newest First  |  Threaded View
Elephant man
Elephant man,
User Rank: Apprentice
12/19/2019 | 8:16:13 AM
Phishing Awareness warrants a dedicated Fully Managed Solution
Well written and insightful article on overall user awareness. However, this is really geared towards big Fortune 500 corporations with huge security teams and budgets. But for the rest of the world with a limited budget and resources there needs to be a better and more affordable approach specifically geared towards phishing as a problem.

Phishing alone is growing so rapidly in volume and sophistication that it requires a dedicated 'Phishing Awareness" approach. I am seeing a huge jump by industry into the phishing simulation market. It seems that everyone is offering a platform to run phishing campaigns now. Businesses offering this love the licensing/Subscription model where you supply a COTS tool to the client and they have to run everything themselves. It is favorable to business because this model is scalable to meet the demand created by sales/marketing and it also creates a sellable asset for the company. The problem lies in the fact that these companies then become sales organizations - not Value providers.

With Phishing Awareness specifically this model is extremely flawed. The gap between the levels of sophistication of real attacks versus what an administrator working with tools can manage is huge and growing rapidly. Add to this the attempts to educate employees with 10 different "security awareness" topics and you just confuse people with rocket scientology. I saw one marketing campaign recently where the provider is flaunting 500+ training modules,videos and games. What the hell do you do with that as an administrator? 

The industry knows this and some will claim that the Phishing simulations are merely a tool to gather metrics on the overall security awareness effort. Look, Phishing is a big enough problem in itself that it warrants a dedicated fully managed and coordinated program by a provider with experience. Experience in creating a coordinated series of phishing campaigns that ensures that the gathered metrics are comparing apples to apples. And that these metrics come from a methodology that guarantees results. This is not easy by any stretch. Giving someone a tool with a thousand simulations that vary from ridiculously easy to 'moderately' difficult is not enough. You need a managed service with simulations that are customized to your organization and range from easy to extremely difficult. This can't be done by an inexperienced administrator playing with an overwhelming platform.

Here is the big secret....I can tell you first hand that a well coordinated and fully managed program matched to an organizations culture and needs can reduce the click rate by over 90% with simulations alone - in one year. Add a Phishing training module to address the identified weak links (clickers) and you can drive continuous improvement....no rocket scientology needed. If you are looking to adress Phishing specifically then don't play into the hands of businesses trying to sell you a tool you have to put at least one dedicated salaried admin on who then has to spend a year learning the hard way with poorly chosen campaigns.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-27
The search functionality of the Greenmart theme 2.4.2 for WordPress is vulnerable to XSS.
PUBLISHED: 2020-10-27
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Apple Music 3.4.0 for Android. A malicious application may be able to leak a user's credentials.
PUBLISHED: 2020-10-27
An access issue was addressed with improved access restrictions. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. A malicious application may be able to overwrite arbitrary files.
PUBLISHED: 2020-10-27
A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. An application may be able to execute arbitrary code with system privileges.
PUBLISHED: 2020-10-27
A logic issue was addressed with improved validation. This issue is fixed in iCloud for Windows 7.17, iTunes 12.10.4 for Windows, iCloud for Windows 10.9.2, tvOS 13.3.1, Safari 13.0.5, iOS 13.3.1 and iPadOS 13.3.1. A DOM object context may not have had a unique security origin.