KnowBe4 Security Awareness Training Blog

Why Do You Still Need Security Awareness Training If You Use Phishing-Resistant MFA?

Written by Roger Grimes | Jun 7, 2023 2:21:14 PM

For years, KnowBe4 has been a long-time proponent of everyone using PHISHING-RESISTANT multi-factor authentication (MFA) whenever possible.

Unfortunately, most MFA is as easily phishable, hackable, and bypassable as the passwords they were intended to replace.

Even though KnowBe4 was an early proponent of phishing-resistant MFA, now most of the world is coming around, including NIST and CISA.

Why Do I Need Training If I Am Already Using Phishing-Resistant MFA?

The reason I am mentioning this is because of a recent customer question at a popular computer security conference, Gartner Security & Risk Management Summit. The customer asked, “If my organization is using phishing-resistant MFA, why do I still need to do security awareness training and simulated phishing tests?” It is a good question. Here is our response.

Our Response
There are many reasons why you still need great security awareness training even if you are using phishing-resistant MFA.

1) Security Awareness Training Works!

First and most important, security awareness training, including frequently simulated phishing campaigns, absolutely work to reduce cybersecurity risk in your environment. Social engineering is the top way that hackers and their malware creations use to compromise devices and networks. So far, there is not a perfect technical defense. Some portion of social engineering and phishing will get to you and your coworkers. Training works.

We have collected 12 years of data on our over 60,000 customer organizations and the more frequently a customer educates their staff and the more frequently they do simulated phishing campaigns, the lower the chances of someone in their organization clicking on a real phishing attack. From our data, we know that annual training has almost no impact on phish-clicking rates (what we can the Phish-proneTM Percentage).

We also know that monthly training, including at least monthly simulated phishing tests, most effectively reduces the Phish-prone rate. You should continue training and simulating real-world phishing attacks because it works at reducing cybersecurity risk. Most of the time, there is no single other mitigation that will be as effective at reducing risk.

2) You Still Likely Have Lots of Passwords

If you added up every non-password authentication option in the world, you likely still have lots of passwords. In fact, the average person has over 170 different sites and services they authenticate to each year, and most of those sites use only passwords. Even if all your work sites and services use phishing-resistant MFA, sites and services your employees use (e.g., insurance, medical, banking, finance, etc.) likely use passwords. And if your employee gets scammed on one of those sites, they will be dealing with the aftermath and not be as productive an employee as they otherwise might be.

3) At Least Half of Phishing Does Not Involve Credential Theft

There are no definitive statistics on what percentage of overall cybersecurity incidents are made up by social engineering and phishing, but most researchers place it at 40% to 92% of all cyber attacks. No matter what the percentage, social engineering and phishing are the number one most popular attack vector out of all cyber attack vectors. And about half of those social engineering and phishing attacks are after employee login credentials. That is a lot. And it means that if you use phishing-resistant MFA, you significantly reduce a huge chunk of social engineering and phishing attacks. It is why you should use phishing-resistant MFA!

But that also means that you and your coworkers are still under risk for the other half of those attacks, and the risk is growing over time. Many social engineering and phishing attacks do not care what authentication you use. They do not care if it is passwords, MFA, biometrics, or 15-factor, zero-trust, AI-enabled, quantum-protected authentication. They simply trick employees into running malware, either by having them click on a rogue URL link or into opening a booby-trapped document. The user gets tricked into launching the malware, which takes over their desktop, which then takes over the organization’s network. 

Note: Training is especially important when 66% of SUCCESSFUL email attacks are attributed to spear phishing.  Spear phishing is more likely to be about motivating employees to perform actions with negative consequences than simple credential theft. So, not training your employees in how to recognize and mitigate spear phishing puts your company at far greater risk of a successful attack.

Stolen Tokens

Many hacker attacks involve tricking users into allowing the attacker to steal the user’s login authentication token. This type of attack is becoming increasingly popular and cannot be stopped by phishing-resistant MFA. Microsoft and other vendors are trying to prevent authentication token theft, but it will likely be many years until token theft is a hacking tactic of the past. Until then, you need to educate your employees on how to stop token theft attacks, and the primary mitigation is training.

Phishing-Resistant Does Not Mean Un-Phishable

Every digital thing can be hacked. Every authentication solution, including phishing-resistant MFA, can be hacked. Phishing-resistant MFA can still be phished. Phishing-resistant simply means that the involved authentication mechanism is resistant to the most common types of phishing attacks. It does not mean it stops all types of phishing attacks.

For example, it is nearly impossible to prevent an attacker from creating an entirely fake authentication experience for the end user and then simulating as if the authentication transaction worked, and fooling the user into believing they had just completed a successful, legitimate authentication login. And once a user thinks they are authenticated on a real system, they are more easily phished out of additional confidential information that can be used against them or their organization. 

Phishing Is Not Just Email

When most defenders say they have “defeated” phishing, they usually mean they have taken sufficient steps to mitigate most email phishing. But it is impossible to “defeat” phishing (at least right now, if not forever). Phishing has so far been a very resilient form of hacking that has defeated all known and proposed technical mitigations. And as long as that is true, you will need training.

On top of that, phishing can occur in a variety of different ways, including in-person, voice-based phone calls, social media, SMS, chat apps, metaverse and websites. And your users need to be taught how to recognize, mitigate, and report social engineering no matter how it appears, no matter what its form.

Compliance Training

A great security awareness program is about more than stopping social engineering and phishing attacks. It often means compliance training, such as educating employees about how to avoid and report sexual harassment, anti-bribery rules, unacceptable content and privacy statutes, as common examples. I am not sure about your security awareness training program, but compliance training is a big part of what KnowBe4 does.

Culture Improvement

Lastly, a great security awareness training program is about improving your organization’s overall risk management culture. You want everyone to understand the importance of developing a healthy level of skepticism to high-risk events. And you cannot do that without a constant stream of good security awareness training. 

There are probably a dozen other reasons why you need to start or continue a great security awareness program even if you have phishing-resistant MFA, but these seven reasons are reason enough to stay in the training game.

Not training your employees means you accept all of these elevated risks. But a good security awareness training program will help you to significantly reduce cybersecurity risk. Using phishing-resistant MFA is one way to reduce risk. Great training is another.