6 Reasons Why Phishing and Security Awareness Training Programs Fail

The majority of devastating cyberattacks begin with a simple phishing email that tricks a user into helping the threat actor. To counter this threat, many companies provide employees and extended team members with some form of phishing and security awareness training (PSAT) as an important element of their cybersecurity program.

A comprehensive training and testing program leverages realistic threat scenarios to foster context-relevant (e.g., tailored to your industry and risks) security awareness that:

• Drives security awareness and behavioral change: Reduce the risk of phishing-based intrusions with user-specific training

• Tests user resiliency: Test user ability to identify and avoid the latest phishing tactics and campaigns

• Identifies and measures improvement: Identify high-risk users and groups, and reduce risk associated with their privileges and access

• Alleviates resource constraints: Reduce the burden on security teams to deliver training and to manage security operations

• Meets regulatory requirements: comply to state, industry and professional regulations and obligations

Unfortunately, most security awareness training initiatives fail to achieve the desired business outcomes, so understanding why these programs fail will help your organization get the most out of your own PSAT investments—and may ultimately make the difference between a close call and a disaster.

Most common reasons that security awareness training programs may fail

From speaking with countless businesses and organizations about their experiences with PSAT programs, we’ve identified six common causes of failure.

1. They lack explanation and context

Whether the restriction is “do not install unauthorized software” or “do not click on links”, top-down commandments that simply provide an endless list of what not to do nearly always lead to low employee engagement. Therefore, wrapping up these directives in PSAT training isn’t any different.

The solution: Explain why the training is important for your employees, and for the organization, and how the training fits into the broader cybersecurity plan. Tell your team why security policies are needed and about the potentially devastating consequences of installing unapproved software or opening attachments. In short, treat your team with respect and tell them “the why” before you get into the list of specifics.

2. They focus too much on phishing emails

These two statements are true at the same time:

• Most successful cyberattacks begin with a phishing email

• Most PSAT training focuses too much on phishing emails

While phishing emails should definitely receive considerable attention, it’s a mistake to overlook other tactics. Today’s threat actors are skilled at using a wide range of attack vectors, and they’re experts at targeting the specific tools used in your industry, poisoning search results, leveraging common information needs, and exploiting human nature.

The solution: Make sure your PSAT program is tailored to your industry and remains up to date with all the latest trends, regulatory requirements. The examples used should be precisely targeted because the real-world attacks will be.

3. They use generic content that lacks industry context

The examples within many PSAT programs often come from publicly available sources. As a result, they are exceptionally generic and unintentionally feed into two misconceptions:

1. Phishing lures are self-evidently obvious (e.g., a Netflix account reset sent to a business address)

2. The victim is at fault for not recognizing the obvious phishing attempt

The truth is that criminals are exceptionally skilled at targeting not only your industry, but also your specific organization. Popular, effective lures include:

• Payment requests and invoices

• Legal threats and actions

• Shipment tracking and delivery

• Tax and HR employee data requests

• COVID-19 and election information

However, these lures are not generic––they leverage information about suppliers and customers, trends and news within the industry, and even publicly available information (e.g., from regulatory documents, court filings, LinkedIn, etc.).

Attackers may know your internal hierarchies, complete with employee names and roles. They may even have set up websites to masquerade as legitimate members of the ecosystem.

The solution: Make sure your PSAT program is tailored to your industry and remains up to date with all the latest trends, regulatory requirements. The examples used should be precisely targeted because the real-world attacks will be.

4. Evaluating effectiveness focuses on execution metrics, rather than on outcome metrics

Once it’s time to report on the success of the PSAT program, many security teams spend time answering questions such as, “How many people have we trained? How many people were tested? What percentage passed? What was the average score?”

Although those metrics are easy to record and report, they’re also execution metrics—they measure what your team did and the efficiency with which they did it.

Unfortunately, these metrics can lead to a false sense of security and what’s more is that they don’t provide answers to important questions, such as:

• Are we reducing our risk?

• Have we reduced operating costs?

• Have we freed up IT expertise to direct their efforts to other threats?

The solution: When it comes to measuring PSAT effectiveness, emphasize business outcomes and behavior (e.g., the number of suspicious emails reported to IT, proactive communication with the security team, and the number of policy violations) ahead of execution metrics.

5. They systematically drive undesired behaviors

Many PSAT programs, and the cybersecurity initiatives under which they’re delivered, inadvertently encourage undesired behavior and discourage the desired behavior. For example, naming and shaming employees who are victimized creates an incentive for people not to report when they recognize they’ve made a mistake.

The solution: Take a lesson from the aviation industry’s playbook. Aviation is so safe because of policies that were consciously implemented to encourage ongoing learning, including gathering and analyzing data (through the use of black boxes) and ensuring that those who report incidents don’t face consequences for doing so.

6. They overlook risks and gaps at the executive level

Executives, the board, and other key employees (including people with access to non-public information) are sometimes overlooked or excused from training, which results in two major consequences. First, it sends the wrong message that cybersecurity isn’t everyone’s shared responsibility and second, it doesn’t keep these team members up to date on the latest threats and vulnerabilities.

Moreover, generic training programs don’t prepare senior leaders to recognize the highly targeted threats that they are likely to face.

The solution: The entire leadership team needs to recognize the importance of cybersecurity training. In fact, they need to model good behavior for the organization. At the same time, the PSAT program needs to meet the specific needs of the leadership group, recognizing that these individuals may be targeted with extremely sophisticated threats.

Parting words

Effective phishing and security awareness training is about up-levelling everyone’s risk awareness—rather than trying to turn everyone into security experts—and should exist within a culture of security that’s focused on outcomes.

After all, cybersecurity isn’t an IT problem to solve, it’s a business risk to manage.

To learn how eSentire’s Managed Phishing and Security Awareness Training can help drive behavioral change with your employees across your organization, book a meeting with a security specialist today.