By Joanna Huisman, KnowBe4's new SVP Strategic Insights & Research. The bad guys know that the easiest way into your organization is through your employees. This is not an opinion. Of all the breaches that occurred in 2018, Over 90% were the result of human error. Criminals were provided access by unsuspecting, and I would argue, under-educated, un-aware employees.
Simulated phishing attacks are an important part of managing this problem, but sometimes these tests are are blamed for employees feeling afraid to take any action because it might damage their career…or cause an uncomfortable conversation with their manager. Here are a few key phishing misperceptions I have been able to pull out from the thousands of organizations I have engaged with over the past 4 years. Don’t let your thinking and action be misguided by these misperceptions.
Misperception 1: One phishing campaign a quarter will get the job done.
I remember a conversation with my then 4-year-old trying to convince him that brushing his teeth once a year just won’t get the job done. Fast forward to little over a decade later, and I was having the same conversation with organizations about their simulated attack strategies…quarterly is just not enough. The first challenge is that most security awareness programs are being run by security practitioners that drew the shortest straw rather than corporate training professionals who understand how to drive behavior change through learning. In order to drive sustainable behavior change, there needs to be a commitment to the time and tools required.
Infrequent phishing campaigns are not effective because they highlight a moment in time rather than bi-weekly or monthly campaigns which provide a deeper look into continuous patterns and behaviors. This is about increasing the frequency in order to have data that is comparable over longer periods of time.
Misperception 2: Phishing campaigns alone can change behavior.
This could not be farther from the truth. A comprehensive, continuous security awareness training program which combines education, simulated phishing attacks and communication can help raise the readiness levels of your employees to not only spot, but stop attacks from happening. One lever is not the answer, they need to work simultaneously like a well conducted orchestra. Educate with interesting, engaging, bite-sized content; test with frequent and highly realistic simulated attacks; communicate with creative, intriguing, captivating messaging.
Misperception 3: If you have a low click rate, you’re covered.
Stop chasing click rates. This is not like a diet where you declare a goal weight and then starve yourself until you get there. I would argue that organizations which consistently have low click rates are not challenging their audiences with more difficult and relevant campaign templates. If you are only using simple—one- or two-star—campaign templates, a low click rate should be yours.
But are you really increasing your audience’s readiness to identify more difficult attacks? I can guarantee you are not. You should be using templates that offer different levels of complexity to lure your employees into clicking and build it up over time. This approach will allow you to better understand where readiness levels are low so you can continue applying similar templates in order to strengthen their ability to spot those attacks. Organizations should not be looking at overall click rates, but rather by complexity of campaign or campaign types.
You will need to educate executives who are thirsty for that singular click rate that gives them a false sense of security. Click rates are a good start, but definitely do not give the full picture. Tell a story with the data. Just like with weight loss, if you are building muscle, you may be gaining weight. With your phishing campaign, if you are using a five-star campaign template and your click rate increases, you’ve just identified a weakness that needs more audience muscle memory.
Misperception 4: You’ll only need to run campaigns for a few months.
Let me be crystal clear…you will never be done. Attack strategies are getting more sophisticated and the bad guys more clever. Your security awareness program will need to be constant. Continuous awareness through education, simulated attacks and communication should be an integrated part of your organization's security culture.
Misperception 5: Employees will only see this as punitive.
This is where continuous and correct communication comes in. Employees will only see this program as punitive if that’s what you put out there. Rather, organizations that are having success in using simulated attacks to favorably drive behavior change are communicating the benefits, both professionally and personally, of being better at spotting the attacks.
If your campaigns are infrequent, employees will not have the necessary practice to spot the suspect emails. The point here is to make it part of their every day. Think about when you are driving, are you just looking straight ahead, or are you continuously scanning your path to see what may be disruptive? You can mirror this best practice driving behavior in how your employees navigate their inbox. Keep them on their toes with security top of mind…a suspect message can make it through the filters at any moment, just like a deer or a child on a bicycle.
Organizations have repeatedly shared with me that their employees get a strong sense of gratification when they get system-generated congratulatory message after correctly spotting and reporting an attack. And if they succumb to the phish, the KnowBe4 approach will immediately show them what they didn’t spot and what to look out for next time.
Organizations that use best practices for their awareness training have also shared that they are using reward programs to drive good behavior and champion programs to help evangelize. Now, will there be employees that are frequent clickers and that need more attention? Of course. But I will also argue that if you have a program that will help identify these potentially vulnerable employees (pockets of risk) you are much better off.
Want To Know More? Former Gartner Analyst and Knowbe4's very own Chief Evangelist Strategy Officer Perry Carpenter has written a brand new book!
I recommend you order at Amazon, here is the blurb from the new page promoting the book.
Transformational Security Awareness empowers security leaders with the information and resources they need to assemble and deliver effective world-class security awareness programs that drive secure behaviors and culture change.
When all other processes, controls, and technologies fail, humans are your last line of defense. But, how can you prepare them? Frustrated with ineffective training paradigms, most security leaders know that there must be a better way. A way that engages users, shapes behaviors, and fosters an organizational culture that encourages and reinforces security-related values.
The good news is that there is hope. That’s what Transformational Security Awareness is all about.
- Find out what you need to know about marketing, communication, behavior science, and culture management
- Overcome the knowledge-intention-behavior gap
- Optimize your program to work with the realities of human nature
- Use simulations, games, surveys, and leverage new trends like escape rooms to teach security awareness
- Put effective training together into a well-crafted campaign with ambassadors
- Understand the keys to sustained success and ongoing culture change
- Measure your success and establish continuous improvements
Do you care more about what your employees know or what they do? It’s time to transform the way we think about security awareness. If your organization is stuck in a security awareness rut, using the same ineffective strategies, materials, and information that might check a compliance box but still leaves your organization wide open to phishing, social engineering, and security-related employee mistakes and oversights, then you NEED this book.
The book was just reviewed as an RSA Security Book of the Month
Again, order here.
Let's stay safe out there.
Warm regards,
Stu Sjouwerman
Founder and CEO,
KnowBe4, Inc.