Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Don't Make Security Training a 'One-and-Done'
Threaded  |  Newest First  |  Oldest First
Elephant man
50%
50%
Elephant man,
User Rank: Apprentice
12/19/2019 | 8:16:13 AM
Phishing Awareness warrants a dedicated Fully Managed Solution
Well written and insightful article on overall user awareness. However, this is really geared towards big Fortune 500 corporations with huge security teams and budgets. But for the rest of the world with a limited budget and resources there needs to be a better and more affordable approach specifically geared towards phishing as a problem.

Phishing alone is growing so rapidly in volume and sophistication that it requires a dedicated 'Phishing Awareness" approach. I am seeing a huge jump by industry into the phishing simulation market. It seems that everyone is offering a platform to run phishing campaigns now. Businesses offering this love the licensing/Subscription model where you supply a COTS tool to the client and they have to run everything themselves. It is favorable to business because this model is scalable to meet the demand created by sales/marketing and it also creates a sellable asset for the company. The problem lies in the fact that these companies then become sales organizations - not Value providers.

With Phishing Awareness specifically this model is extremely flawed. The gap between the levels of sophistication of real attacks versus what an administrator working with tools can manage is huge and growing rapidly. Add to this the attempts to educate employees with 10 different "security awareness" topics and you just confuse people with rocket scientology. I saw one marketing campaign recently where the provider is flaunting 500+ training modules,videos and games. What the hell do you do with that as an administrator? 

The industry knows this and some will claim that the Phishing simulations are merely a tool to gather metrics on the overall security awareness effort. Look, Phishing is a big enough problem in itself that it warrants a dedicated fully managed and coordinated program by a provider with experience. Experience in creating a coordinated series of phishing campaigns that ensures that the gathered metrics are comparing apples to apples. And that these metrics come from a methodology that guarantees results. This is not easy by any stretch. Giving someone a tool with a thousand simulations that vary from ridiculously easy to 'moderately' difficult is not enough. You need a managed service with simulations that are customized to your organization and range from easy to extremely difficult. This can't be done by an inexperienced administrator playing with an overwhelming platform.

Here is the big secret....I can tell you first hand that a well coordinated and fully managed program matched to an organizations culture and needs can reduce the click rate by over 90% with simulations alone - in one year. Add a Phishing training module to address the identified weak links (clickers) and you can drive continuous improvement....no rocket scientology needed. If you are looking to adress Phishing specifically then don't play into the hands of businesses trying to sell you a tool you have to put at least one dedicated salaried admin on who then has to spend a year learning the hard way with poorly chosen campaigns.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15238
PUBLISHED: 2020-10-27
Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the DhcpClient method of the D-Bus interface to blueman-mechanism is prone to an argument injection vulnerability. The impact highly depends on the system configuration. If Polkit-1 is disabled and for versions lower than 2.0.6, any lo...
CVE-2020-26156
PUBLISHED: 2020-10-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-27853
PUBLISHED: 2020-10-27
Wire before 2020-10-16 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a format string. This affects Wire AVS (Audio, Video, and Signaling) 5.3 through 6.x before 6.4, the Wire Secure Messenger application before 3.49.918 for Android, a...
CVE-2020-7755
PUBLISHED: 2020-10-27
All versions of package dat.gui are vulnerable to Regular Expression Denial of Service (ReDoS) via specifically crafted rgb and rgba values.
CVE-2020-11854
PUBLISHED: 2020-10-27
Arbitrary code execution vlnerability in Operation bridge Manager, Application Performance Management and Operations Bridge (containerized) vulnerability in Micro Focus products products Operation Bridge Manager, Operation Bridge (containerized) and Application Performance Management. The vulneravil...