One point is very clear: phishing has proven over time that it’s technology agnostic. Whichever anti-phishing solution companies use, an attack is bound to infiltrate any system eventually. Despite the recent uptick in its appearance in management discussions phishing has remained constant. Since the first recorded attack on AOL users back in 1995 to recent statistics, phishing as an attack vector hasn’t subsided.
After all, phishing is a social engineering attack—it preys upon the vulnerabilities of people, not technology. So it’s not surprising the cybersecurity community’s historical approach to finding an anti-phishing solution was based on attempts to take the human factor out of the equation (e.g., deliver security solutions that are purely technological). As a result, security training took a backseat to tech-driven security solutions, and obviously, this didn’t provide optimal results.
But there’s been a shift in recent years. Security training is no longer the stepchild of technology-driven security solutions—it’s become a true force. Training enables organizations to fight back against phishing by leveraging the positive side of human psychology while getting both management attention and budgetary consideration. Here are just a couple of reasons why training is conquering the anti-phishing landscape:
Security Training Offers a Higher Marginal Value
The contribution of security training to organizational security overall is much greater than other security technologies. Why, exactly? The average organization has plenty of security solutions in place as part of an in-depth security strategy. Adding yet another technology, whether it’s email scanning, spam filtering or a URL testing tool, will indeed add additional security. However, no number of new technologies can reinvent or retool a company’s security culture.
This is why security training—specifically automated phishing simulations—is a unique tool in the anti-phishing scene. It can effect change in the security culture of a learning organization, which has more enduring benefits than any technology-based response. It’s unparalleled by existing security solutions, and investing in it yields high—and sustainable—returns.
Security Training Accounts for the Human Factor
Phishing is always evolving. Attackers continually test their changes against cutting-edge security technologies, collecting information and refining their weapons. Sometimes these adaptations are very small—almost unnoticeable, in some cases. But even small changes in an attacker’s approach can require big investments from a security vendor—especially if they hope to counter these changes in real time. This, again, is why security training is the answer: because it’s a completely different ball game when you leverage the power of your people in your security initiatives:
- First of all, every person in an organization is unique. They have different interests and concerns, both inside and outside of work. When no training occurs, a hacker can just send any phishing email and expect sufficient results. But as employees get trained, their resilience to various attacks grows, forcing the hacker to expose themselves with more and more attempts.
- Secondly, people are fast learners. And faster than we security professionals care to admit. That’s why we see an increased rate of technological adoption—because people are quickly learning how to use new technologies. By stimulating their learning through training, people can adapt surprisingly fast to changes in the security landscape.
- Last, but not least, security awareness training has come a long way from basic awareness solutions. Some vendors are already using micro-learning techniques, with the leading ones using adaptive training. These types of training facilitate shorter learning cycles and create higher engagement rates.
Given the advantages that security training offers over technology-driven solutions, we aren’t surprised to see prospects and customers investing more and more of their time and money in smart anti-phishing learning automation. And as a result, they see a twofold increase in their return on investment, both in terms of effectiveness with their anti-phishing efforts and in their overall security operations.
As phishing becomes more pervasive, organizations are learning that security training can be their most effective first—and last—line of defense against ever-more-sophisticated attacks.