Phishing awareness training not translating to fewer clicks, research argues
The emails just keep on coming; many relevant, but many more either just good old fashioned spam or, worse, phishing attempts. Yet new research argues that despite regular phishing awareness training, many companies are still falling for the old routines.
The research was conducted by Ironscales, an Israel-based company which claims to offer the world’s first automated phishing prevention, detection, and response platform. More on that later – but according to the data, which came from 300 security professionals, an overwhelming 85% of respondents said their employees needed better inbox tools to detect phishing attempts.
Ironscales says it takes on average just 82 seconds between a phishing email passing through the gateway and it getting a victim. Yet many of the other stats simply don’t add up: while more than three quarters (76%) of those polled said they trained employees to spot phishing emails, less than half said that click rates had dropped as a result of employing awareness and training programs.
Questionable best practices were also noted. One in three (35%) organisations say they do not have an email address, or a report button, for employees to share suspicious messages, while more than half (55%) said their security teams had problems detecting phishing messages in time. The vast majority of respondents (94%) said automating the SOC teams’ manual processes, from attack detection to response, would ‘greatly reduce’ the amount of damage which could be inflicted on a company.
“This survey makes it abundantly clear that while phishing is high on everyone’s radar, organisations continue to struggle to deflect the threats posed by email-borne attacks,” said Eyal Benishti, founder and CEO of Ironscales in a statement. “In today’s threat landscape, businesses simply cannot afford to rely on phishing awareness training or overburdened SOC teams when neither are getting the job done.”
Writing for this publication in April, Benishti argued that phishing awareness training, as part of a wider focus on security awareness, is ‘going the way of the dinosaur’. “Such a social engineering phenomenon has simply made phishing too frequent and complex for humans to own the majority of the burden alone,” Benishti wrote. “As CIOs continue to work closely with CISOs on hardening their digital defences, it’s essential that they now recognise phishing awareness training as just a very small piece of the large email security puzzle.”
Ironscales’ proposition is therefore one of automation across multiple vectors. The company has four products, including mailbox-level anomaly detection in IronSights, automated phishing email incident detection and response in IronTraps, and peer to peer phishing intelligence and sharing in Federation.
The fourth product, IronSchool, does – as the name suggests – provide phishing awareness training. Yet ‘unlike the traditional one size fits all approach to security awareness training, [the school] starts with an initial employee assessment to benchmark users’ phishing recognition skills’ before ‘automatically grading each user and adjusting the training according to their current skill level’, in the words of the company.
- » Capgemini notes how and why companies still struggle with their digital transformation initiatives
- » How to counter the increasing volume of DDoS attacks
- » Get communication right between the CISO and the board to improve enterprise security
- » Why it’s time to wake up to critical infrastructure threats
- » Machine learning in staffing and recruitment: Three key applications