There have always been two sides to the story: either you passionately believe in phishing awareness training, or you think it is a complete waste of company resources. While it can be difficult to see the other side of the argument, the truth is there is no hard statistical evidence to strongly support security awareness training (SAT) or obliterate it entirely. It might very well be true that continuous, engaging training programs do have an effect on employees’ awareness of the possible risks of a file-borne attack. However, the question is not whether or not employees can gain greater awareness of the problem, but whether they are capable of stopping it.
In other words, does employee cybersecurity awareness training work to the extent where employees no longer open socially engineered attachments or click on malicious links? The answer to that question is quite decisively – no.
It only takes a few off-the-bat examples to demonstrate this clearly. According to TechTarget, 43 percent of employees are not aware that clicking a suspicious link or opening an unknown attachment in an email is likely to lead to a malware infection. And 1 in 3 employees find it no big detail so bypass a password for the laptop or mobile devices. These are just a few of many examples demonstrating how people are always going to be the easiest route into a targeted network attack, no matter how well-trained they are. Keep reading to learn why this is, and how you can switch up your tactics.
Why Phishing Awareness Training Will Never Be Enough
Security awareness training’s biggest antagonists usually claim it doesn’t work due to a multitude of reasons. They claim that today’s employees suffer from attention deficiency, or that these training programs are typically boring, often have no lasting effect, lack user interaction and involvement, or scare employees rather than teach them. However, these reasons don’t tell the true story. Here are the real reasons why these programs can never result in full security compliance:
1. People don’t change behaviors just because they gain more information.
If that were the case, none of us would ever smoke, live an unhealthy lifestyle, or eat ice cream. That’s why increasing phishing awareness will never have a significant or long-lasting effect on companies’ cyber protection, and the ultimate proof is the attack methods cybercriminals are using today. Many of the most infamous attacks in recent years at some point contained a sophisticated, socially engineered phishing component, which brings us to the second reason why SAT will never be enough.
2. Tricking people is always going to be easier than tricking computers.
The reality of cyber attacks today is that there are so many entry points in the data flow going in and out of the organization, that employees couldn’t possibly have the ability — or be responsible for — protecting their company against these modern file-borne zero-day security attacks. Whether via file–sharing platforms, through the web, or by opening innocent-looking email attachments, employees are constantly bombarded with documents coming through endless channels, and they cannot be expected to analyze every single one of them to recognize the malicious ones. With a method like this in place, they simply won’t stand a chance.
Bruce Schneier describes it well: “If four-fifths of company employees learn to choose better passwords or not to click on dodgy links, one-fifth still get it wrong and the bad guys still get in.” In other words, no matter how well-trained your employees are, they will never be resilient against sophisticated social engineered exploits.
Employees shouldn’t be the company’s gatekeepers because they can’t be the first line of defense against malicious exploits hidden sophisticatedly in documents.
3. The focus must be placed on creating a threat-free file environment
And so, if we can’t rely on the people within the organization to stop falling into the exploited file traps, then the alternative has to be a solution that won’t even let the users make bad decisions in the first place. After all, if the threshold is not at their fingertips, the lower the chances of attack there will be. If we want to relieve employees from the burden of protecting their network, then we need to focus on securing the entire data flow, whatever the channels. With the amount of incoming data channels, the only way to create a clean file environment is to disarm documents completely. The goal should always be to sanitize the file before it is even able to reach the employees in a completely automated way and without disrupting the company’s workflow.
Votiro Can Step In Where Your Phishing Awareness Training Leaves Off
Relying on your employees to remember every detail of their phishing awareness training is not going to be as effective as you’d hope it to be. And to be fair, they shouldn’t have to live with that level of pressure. This is precisely what Votiro Cloud (SFG) is designed for: sanitizing every single file coming from the web, email, USB port, file-transfer, or content collaboration platform before it reaches the organization’s network. Our SFG is a patented solution that secures all incoming files from known and unknown attacks using our unique Positive Selection technology that cleanses any document from hidden exploits. Once the file is thoroughly disarmed, it is fully recovered and is safe to download, open, save or use, no matter where it came from.