Simulated phishing attacks can be an effective security awareness and training tactic to help companies educate employees how to avoid growing cyber security threats, a new report said.
Security leaders from the major vertical sectors — finance, manufacturing, health, and entertainment — have used a new approach to user awareness: Simulated attack training, according to the report by Wombat Security Technologies.
“Phishing, and the more targeted and sophisticated spear-phishing, is the weapon of choice for the modern cyber criminal and is used by the more organized hacker for data and intellectual property theft,” said Perry Carpenter, former security awareness analyst from Gartner who is now working as a security expert in the financial sector. “While there is no foolproof technological defense, contemporary thought now focuses on training the user to recognize and resist targeted social engineering.”
More than anything else, the report shows how simulated attack training can introduce measurement into training — not only is it effective, it is possible to measure and monitor its effectiveness to allow the most cost-efficient training for the highest risk people and topics.
The report has a checklist on how to implement and manage simulated attack training as part of a continuous training methodology, including:
• Get internal buy-in from executives across departments. Involve the executive team early through phishing attacks or third-party advice (analyst firms or industry contacts)
• Assess the existing level of user awareness prior to starting a new simulated attack methodology
• Use the upfront assessment data, combined with new data from the simulated attacks, to prioritize future training
• Provide training that utilizes learning science principles to lengthen retention by the “students”
• Review the data returned from simulated attacks and training in order to determine what they should schedule in the next round of training and assessments
• Ensure any awareness training program is a continuous process: Heightened user awareness loses value if you don’t reinforce learned concepts over time.
“There is strong evidence that continuous security awareness training that includes simulated attack training works to significantly reduce risk,” said Joe Ferrara, president and chief executive of Wombat Security Technologies. “As it shows in the report we have seen susceptibility reductions of over 80 percent when comparing an initial mock attack to subsequent attacks when in-depth training is completed in between the attacks.”