Phishing Training is a Tool, Not a Solution

If You Find Yourself Frequently Blaming Users for Successful Attacks, You Know Your Security is Not Working

Training users to recognize phishing is a best practice, an important “tool in the toolbox” as an IT manager once told me, and definitely something I agree with among a list of steps to improve one’s security posture. But I’ve heard anecdotes recently about IT managers prioritizing training above investing in better automated security, and have begun to wonder if training firms and many security providers who now offer it have been a bit too successful in their marketing, effectively convincing many that the job of protection should be shifted to the end user. 

A lot of phishing training is going on. A recent study by Osterman Research asked organizations a series of questions about phishing and user training, among other issues, and ascertained that 93% of organizations give their employees some kind of phishing awareness training. Of course, doing this “right” is not in everyone’s budget, or runs quickly into a limit of tolerance on the time to be taken from the schedules of busy employees. 

Can you (really) spot the fake?

Such training, everyone agrees, is good. Everybody knows that security is about layers, and having alert users is another layer. But anybody signing up for sessions for their company should understand it in that context—it’s another tool, not a solution. I was struck in the Osterman survey report by the fact that over half of IT and security managers rate their users “highly” or “extremely” capable of recognizing mass phishing and spear phishing emails (59% and 54%, respectively). What’s generating such confidence among this group? Personally, I’m not as sanguine. I see examples of phishing emails and spoofed web sites all the time, and while many fall to the quality level associated with Nigerian scams, I’m frequently struck by the subtlety of the approach, the high quality of the imitations, and the deceptive tactics employed. In considering the ability to spot the phish by a general employee population working away in the frenzy of their email-inundated lives, such a level of optimism contradicts my own anecdotal sense of things. A CIO at a large company told me recently that he feels that 40 percent of his users will “click on anything,” which seems realistic to me, and, if true, still means 60 percent of users are bringing some utility to the task of identifying phishing emails. It’s an attitude that makes room for the benefit of training in contributing to stopping some phishes, without over-relying on it.

I have to point out that, even when an alert user does their duty, the phish may still happen, because we’ve already entered the realm of possible human error. One case in point is the phish of campaign advisor John Podesta’s Gmail account during the (Hillary) Clinton campaign. Podesta thought the password reset email he received odd, so his assistant forwarded it to a security analyst working with the campaign, which led to arguably the most famous typo in IT security history—the consultant accidentally wrote “legitimate,” when he knew the email was a phish, and had intended to write “illegitimate.”

Blame the victims?

It’s a truism of security that users are the Achilles heel or “weak link” in any system of defenses. I recognize the wisdom in this, although sometimes it sounds to me a bit like blaming airline passengers for their plane going down. It seems at any security event today, there is a lot of touting of user training by user-education and, more recently, large security companies, pushing messaging along the lines of “protection starts with people”. Is this really the user’s responsibility? We don’t expect them to delete their own spam or to really know what attachments to click on. Are we in the process of giving up on technology’s ability to block phishing? 

Security is the weakest link – not the user

My view is that if you find yourself frequently blaming users for successful attacks, you know your security is not working. I agree that we should be thinking about how users work, what they do and how it affects the security posture of the business, but does security really start with them? If you start from the premise that IT should be an enabler for employees to be more productive, then it follows that security should protect them automatically. True, no system is infallible, and I’ve already acknowledged the importance of layered security, but my advice is do not let your email security vendor get away with delivering phishing emails to your users—they should just block them. Do not let your web security provider get away with allowing users to connect to phishing sites—they should just block the connections. It’s time to swing the pendulum back, and put the responsibility to do battle with phishing campaigns back where it most correctly belongs—on the security systems.

Original author: Siggi Stefnisson