Why Anti-Phishing Training Isn't Enough

It's time we take a hard look at why we rely so much on end users to catch phishing scams that can jeopardize an entire company. As hackers continue to advance their social engineering techniques, phishing attacks are becoming harder to detect and are missed 39% of the time. While you might think your anti-phishing training program is up to date, your organization will continue to be at risk as long as email is necessary for business operations.

Because we all engage with email daily, we have a degree of blind trust despite continuous, sophisticated anti-phishing training. On many occasions, hackers scheme to elicit emotional responses from their target — for example, by sending urgent messages "from" human resources or the CEO. These are more likely to result in improper downloads or email responses that can damage the entire organization.

File sharing over email is another necessary business function that puts the organization at significant risk for a breach. According to Proofpoint's "2021 State of the Phish Report," attachment-based attacks are becoming more common, and employees often cannot differentiate malicious emails from those with files they need to collaborate, especially when remote work is so common. Currently, the average failure rate in attachment-based attacks is 20%, far higher than for URL-based attacks, at 12%.

Why Anti-Phishing Training Isn't Succeeding
If you think this is solely a pandemic-related problem, think again, as it predates COVID-19. In 2019, 68% of organizations focused on raising awareness of link-based attacks compared with just 10% of organizations that put their efforts on attachment-based attacks. And 65% of the phishing tests with the highest failure rates were attachment-based, with most emails looking like they came from a recognizable internal account such as a supervisor or someone from the HR department.

Notably, the HR department is at increased risk for falling victim to an attachment-based attack because of the resumes and other files from outside sources it engages with daily. For example, in 2020, hackers were able to avoid a sandbox by sneaking malware inside resumes and medical leave forms.

Additionally, training that threatens to come down hard on employees who open an email from an untrustworthy source creates additional problems. Making employees feel like they are going to be fired if they fail a test or miss a dangerous email can create phishing training trauma.

Finally, programs can also come off as insulting. As an example, the Tribune Publishing Company received some backlash after it sent anti-phishing training emails promising significant bonuses — in the middle of a global pandemic when journalists were being laid off and experiencing salary cuts. Incidents like this can cause severe disconnections between the security team and the rest of the company. It also does nothing to build a sense of camaraderie or motivate people to learn more about security.

It's Time to Stop Blaming End Users
Beyond users being tricked by increasingly sophisticated — and socially engineered — phishing campaigns along with other cyber exploits, there are a plethora of threats that user awareness training — and most security solutions — can do nothing about. Solutions that rely on signature databases and cannot detect zero-day exploits or undisclosed threats may leave significant gaps. Zero-day malware is constantly being developed and evades some of the best detection mechanisms. Yet many organizations' security defenses focus largely on threat detection along with anti-phishing training.

These solutions may give end users a false sense of security that they are protected no matter what, when many threats can slip through the cracks. If a security solution cannot detect these threats, then why would you expect employees to be able to detect them? Deploying detection-based solutions and relying on user awareness training will not provide the protection that enterprises need.

Even if better-educated users could stop more attacks and create safer cyber ecosystems, overreliance on phishing training will come up short — especially given recent developments that are putting a strain on the awareness training in place. Once organizations shifted to large-scale remote work, phishing training moved down the list of priorities. And cuts to security budgets threaten to take funding away from more advanced and effective measures.

To put it simply, putting all your eggs in the cybersecurity-awareness basket is ineffective. Organizations should divert more resources to prevention solutions rooted in data and technology, which stand a much better chance of keeping up with the fast-changing threat landscape and don't put the onus on well-intentioned employees.