Enterprises that invest considerable time and money in secure email gateways are still finding fraudulent messages being delivered to their users’ inboxes. In fact, phishing attacks are the root of most breaches today.
Many organizations have therefore turned to user security awareness programs; Train employees to identify and avoid threats that arrive in their inboxes. So why, despite these efforts, have the number of breaches caused by phishing attacks increased every year since 2017?
Adoption of security awareness training (SAT) accelerated as an annual tick-box exercise mandated by compliance requirements and cybersecurity insurance issuers. It has become de facto guidance for any organization struggling to prevent another successful social engineering attack, such as a business email compromise. It has also become a primary tool in the culture of safety kit.
Enterprises should strive to create a culture that results in safe safety behaviors as part of the employee’s day. Training is important to ensure users understand the organization’s policies and conformance expectations of its members, but it does not create culture. Creating a culture requires users and security analysts to actively work as a team every day, supporting each other and reinforcing expectations and lessons learned in training.
There are some practical steps that any organization can implement to empower their employees to protect the business. These solutions combine technology and user awareness to create a proactive defensive shield against real email attacks rather than fake email attacks.
It is impossible for any cyber security system to detect all threats, all the time, without stressing users and administrators with false positives and delayed email delivery. However, it is possible to provide mailboxes with fewer threats to users.
Most organizations aim to block malicious email at the perimeter, while it is more effective to implement continuous automated threat hunting in mailboxes — where threats reside.
This method not only catches attacks missed by secure email gateways and Microsoft 365, but also provides strategic visibility into previously undetected spear phishing, ransomware, and business email compromise (BEC) risks.
Implementation of this method from the side SAT is highly beneficial for enterprise. By removing the pressure on employees to mitigate every threat, employees instead position themselves as part of a broader and more strategic company security.
Creating a positive environment
SAT is required to comply with PCI DSS, HIPAA/HITECH and SOC2. Furthermore, one part of the security training involves stimulating users with fake phishing attacks, which is a useful rehearsal for identifying real attacks. For the latter, many organizations have implemented processes on the back end of their SAT programs for users to report suspicious messages to their security team. However, security teams rarely investigate all of these notifications and almost never provide feedback to users who report them. Feedback is critical so users are rewarded for detecting real threats or given real-world training when they generate false positives. This loop of user reports and analyst feedback creates a positive environment and teachable moments that foster a culture of safety in a way that training videos and quizzes cannot.
Another key factor in creating a positive environment is using self-service tools with real-time alerts applied to suspicious messages. Self-service tools include add-ons for email clients that allow users to request a security scan of a message and view the results. Alerts are automatically generated when machine learning spot indicators such as business email compromises or other types of micro-attacks such as advanced detection models warn in messages. Combined, these enable users to apply lessons learned from training to enrich automated detection rather than expecting them to bear the full burden of detecting evasive threats.
Empowerment vs. Training
For a business that needs to develop its cyber security culture, security awareness training is just the beginning. Creating and reinforcing a culture of security requires building on SAT to engage users in active defense against real cyber attacks.
The use of SAT in conjunction with automated checks demonstrates to employees that their organization has realistic expectations of them. Employees should not feel that the fate of a breach rests on their shoulders but should feel empowered to play a key role in proactively protecting their enterprise. Executives can provide tools for users to scan for suspicious content themselves, enhancing a holistic organization-wide approach to security.
Without proper safety training, even the best tools can become useless. When executed correctly, SAT not only positions your organization in a better position from the point of view of cyber insurance and regulatory requirements, it also creates an environment where your employees are actively engaged in mitigating online risks thereby strengthening your security.
Mike Fleck is Senior Director of Sales Engineering at Siren.