Human error is the main contributor and accelerator of data breaches and security attacks. That’s why, when I was a CISO at a major enterprise, I built a 5-year plan that included employee training for phishing attacks. Phishing is dangerous for organizations because it takes just one trusting employee to create a snowball effect that will result in a security breach. But the damaging effect of phishing can be reduced with adequate training and the right tools.
Here’s how I used to train my employees to avoid phishing scams, and how to react if your network does get infiltrated by an attacker.
The 3 Steps of Phishing Training
My phishing training for our employees was divided into three main steps.
First, I would send out the most basic and unsophisticated phishing emails. An equivalent of the Nigerian prince scam, if you will. My goal was to understand the severity of the situation in the organization. I want to be able to account for the vulnerability of the human factor when mapping out our attack surface. Unfortunately, we started out with a 40%(!) failure rate. This means 40% of the employees handed over their username and password to a potential attacker.
After undergoing in-depth security training and raising awareness among employees for phishing attacks, they were ready for step two: replicating real phishing attacks from other organizations. I would research different phishing attacks that attackers attempted in different organizations, and tested how these perpetrators would “succeed” in my organization. This is an important step because it is a reliable test that exemplifies the real-life vulnerability of the organization.
The last step was the most crucial and advanced one: personalized phishing attacks. Scammers today are much more sophisticated than a few years ago. They gather information about their victims from social media and other means, and they know how to approach in a manner that builds trust. In this step, I would send phishing emails with targeted information based on employees’ job role, department and additional personal factors.
For example, finance people were targeted with requests to wire money to a supplier’s alleged new account, engineering-targeted emails were focused on the intellectual property, HR was challenged to share employees details and information via a spoofed or copycat HR contractor, and more.
We called these advanced drills “cyberdrills” and turned them into a competition between business units, as a means to drive improvement. This was not a shaming competition, but rather a positive celebration of department and employee excellence. Management was always involved in these drills, as a means to get buy-in and improve employee engagement and how much they cared.
At our best, after three years of training, we reached a 5% failure rate. While this is a significant improvement from the 40% we started with, it still meant that potentially, 5% of the users would give an attacker their username and password, i.e provide them with access to the system. One employee is too much, because attackers just need one to penetrate the network.
This means that CISOs need additional tools to help prevent phishing scams and protect the organization in case a phishing attack takes place. This will also give management confidence once it’s reported (which should be as soon as possible).
The CISO Triangle
Being a CISO is a challenging and exciting job, because it requires both a deep technical and psychological understanding. For every strategic decision you make as a CISO, you need to take three different security categories into account:
Technologies - which technical tools and capabilities are available for thwarting attacks and protecting the organization.
People - human behavior, which is unpredictable and is also the biggest security risk for the organization.
Organizational process - security is not an isolated event that occurs in a vacuum. Rather, it has to support and accelerate business needs.
I like to call these three factors the CISO triangle. This is because when building a long-term plan and deciding on the company’s security measures - the demands and vulnerabilities of each of these three categories has to be taken into consideration. Solving one of them isn't enough. You can implement the newest and best tools available in the market. But if a perpetrator adequately socially engineers one of your employees, it could be game over.
Solving the Phishing Challenge with Zero Trust
Phishing training helps solve the human factor. But it is impossible to reach 100% awareness among employees and completely block attackers from manipulating people. Even if a CISO is able to get 299,999 employees out of a 300,000 people organization to thwart phishing attackers, the one remaining employee is enough to put the entire organization at risk.
This is where the technology aspect comes in and helps protect organizations. The zero trust security framework can answer the phishing gap. In the zero trust model, users can only access applications and resources after they are identified and authenticated. The model eliminates transitive trust and identifies and authenticates devices, users, and identities, not networks and IPs. In addition, the network is cloaked for users, preventing network visibility.
This means that even if an employee falls victim of a phishing attack, they most likely won't give the perpetrator access to the organization's crown jewels. As a result, zero trust reduces the attack surface and improves the security posture, even in the case of phishing attacks.
I loved being a CISO and working to overcome the challenges and obstacles that came my way. Our phishing training was a huge success, and by complementing it with zero trust, I was able to significantly reduce our attack surface. Zero trust also solves the third, organizational challenge, because it enables protection without stopping accessibility and connection to organizational resources.
If you’d like to hear more about zero trust and our solution, let’s talk.
