Home » The Evolution of Phishing Awareness Training
By Cian Fitzpatrick | 22nd July 2024
Crime is as old as history. We just canât help ourselves when it comes to greed and outsmarting our fellow humans. One could argue that Adam and Eve were our first criminals, nicking the apple that started it all. Nowadays, weâd refer to that apple as âdataâ. Worth a lot of money and power, âdataâ is the hot commodity on the criminal streets. And phishing awareness training has developed to thwart threats to this precious resource.
The invention of the internet brought tremendous benefits and convenience; it opened a world that changed how we do everything. But it was also a Pandoraâs Box, as we know in hindsight.
Anyone who worked in an office in the â90s would remember the terror when the Melissa virus struck, which remains the most notorious in history, but was also the first real virus to make a global impression. Cybersecurity âtrainingâ consisted of an email from the IT department telling staff not to open .exe files. That was the extent of it. In fact, the term âcybersecurityâ was still to be coined.Â
As the internet surged, hacking became about more than just proving your smarts. It became monetised and grew beyond clever, maverick kids with time on their hands. It became organised crime. And looking back from where we are now, it was quite naĂŻve in many ways. Dead presidentsâ wives from Timbuctoo would drop you an email, saying they had millions stashed away and they needed help to move the money, at no risk to you, but incredibly viable, of course. Poorly written, weâd now call that approach âsimplisticâ.
⊠and then came social mediaâŠ
The dawning of social media changed something fundamental within our psyche. We were all making our personal data accessible online to everyone. Willingly. Oh what a joyous day! Then Covid happened and absolutely everything went online. Even more of a joyous day.Â
The FBI says that cybercrime went up by 300% since the start of the pandemic. Viruses took a bit of a back seat as criminals honed their social engineering skills and phishing became â and remains â the most prolific, and successful attempt at harvesting data. Social engineering relies on our basest human traits, our fallibility, and two-way emotional engagement, slowly reeling us in (hence the term âphishingâ).
Training has had to evolve from being a simple warning message on an email, to a far more complex approach that is interwoven into company culture, with a focus on the counteractive psychological and behavioural tactics of cybercrime. Itâs become not only an ongoing awareness-building process, but more importantly it needs to lead to change in behaviour.Â
Each and every employee has a role to play and everyone is responsible, rather than historically where the IT department being where the buck stopped.
The number of data breaches due to phishing attempts show that people continue to become victims of social engineering. Training is clearly falling short.
And while training is an essential part of a cybersecurity programme, it needs to be the right training and relevant to recipients and departments. It can quickly become a box-ticking exercise, with content that is dull, irrelevant or out-of-date.
Computer-based training, or CBT, gives an organisation an estimated 20% protection. This is a form of learning done on a computing device, presenting videos and possibly some interactive training. While this is useful as part of a greater training programme and helps build awareness, itâs not enough. In fact, Microsoft suggests that video-based training alone, reduces phish-clicking behaviour by a mere 3%.
Simulation training and awareness campaigns are a vital addition to training programmes, and we estimate that they provide about 40% of protection to an organisationâs data.Â
Gartner says that 82% of data breaches are as âa result of employee behaviours that were unsecure or inadvertent.â This could refer to behaviours like re-using passwords on multiple accounts, or a tendency to open emails from unknown sources.Â
Unintentional poor security practices are poor security practices nonetheless. Something isnât working. Phishing techniques are evolving daily, but human behaviour is lagging. Gartner says that âby 2026, enterprises combining GenAI with an integrated platforms-based architecture in security behaviour and culture programs will experience 40% less employee-driven cybersecurity incidents.â
Shaping behaviour is our best bet right now. We estimate that nudge-based training and behavioural training in real-time and with a human-centric approach provides about 80% protection.Â
Our behaviour is influenced by small decisions that we make constantly. We make so many little choices on a daily basis, from what time we set our alarm in the morning, to how we have our coffee, to choosing which email to open first. Many of these decisions are influenced by small ânudgesâ or interventions that guide us to making a particular choice. This is known as âNudge Theoryâ and it shapes our decisions and influences our behaviour.Â
Nudge Theory famously came into the spotlight in 2009 with a news article describing how authorities at Schiphol Airport placed small stickers to look like flies in the bottom of urinals. The idea was that users would have something to aim at, and it worked. Spillage was reduced by 80%.Â
An old, but probably well-known nudge, was McDonaldâsâ âwould you like to supersize that?â which was done away with in 2004, for obvious reasons. An example of a design nudge would be an ATM dispensing cash only after returning your bank card to stop you walking off cardless. Once youâre aware of this, youâll see it everywhere and realise how our behaviour is nudged in one direction or another, often resulting in a habit.
Nudges in cybersecurity training include prompts to encourage password best-practice, for example. Or âare you sureâ messages when you click on a link that may not have the correct digital security certificates. These small but frequent reminders bring the issue of security to consciousness, little cues to nudge users towards more mindful online behaviour.Â
Thereâs a fine balance between using nudge techniques effectively, but not intrusively. If a nudge hampers usability too much, users will find ways around these frustrating security measures, which then have the opposite effect.
Not only is it best-practice to provide constant training to staff, itâs been legislated by the Information Commissionerâs Office, which provides a comprehensive guide on how training and awareness-building should be conducted to ensure positive behaviour changes.
But whether itâs the law or not, the costs of a data breach are enormous, often resulting in company closure and lost jobs.Â
It takes one small error in judgement, sometimes through ignorance, sometimes through negligence, but if awareness and a sense of responsibility become intrinsic to the spirit of the company, risk is vastly reduced.
Topsecâs Managed Phishing Awareness Training is used by many companies of all sizes across multiple sectors as part of their cybersecurity defence moat. Our client testimonials are included on this page. Take a look for yourself and contact us to help your firm for your phishing training awareness needs. Weâd be delighted to assist!
Deep dive into some of the online risks and how you can protect yourself from these risks.