Train the machine—not just the employee.

Hackers know many companies rely on employee training alone, so they’ve been upping their game to trick even the most savvy employees into phishing scams.

Phishing email attacks are nothing new. They have been around for 15 years, but they are still one of the top risks for businesses today. A quick Google search of “how to spot phishing email scams” will show you articles from as far back as 2006.

So Why Are These Scams Still Happening?

Advice to employees has remained the same. So, that means that with 15 years of knowledge about phishing (and training employees), the attacks still happen. In fact, these types of attacks have been increasing. According to Verizon’s latest Data Breach Investigations Report, more than two thirds of data breaches involved social engineering attacks such as phishing.

Phishing Training Isn’t That Effective, Unfortunately

A research group from Vanderbilt, Dartmouth, and MITRE put test subjects through extensive training on detecting and avoiding phishing scams. 90 days later, the subjects had forgotten most of what they learned and were susceptible to phishing emails at the same rate as before the training.

The results above show that if after training, 15 percent of employees are susceptible, that’s still 3,000 employees likely to interact with a phishing email. A study from Carnegie-Mellon, came to similar conclusions: that employee training alone is not enough.

So, while security awareness training helps organizations meet their regulatory and legal requirements, it’s not enough to stop phishing breaches.

Using Phishing Training Programs Alone is Not Enough

• Not always up-to-date. You simply can’t train on the unknown. New phishing scams pop up regularly and can hit without warning—unless you have the right protection in place.
• Error-prone. Humans aren’t computers. We make mistakes. For anything security-related, we shouldn’t be the only line of defense. For example, as long as a fake email looks more or less as they expect them to, then most users will continue on with their normal routine.
• Not Flexible. Companies that see a lot of employee turnover will have a hard time making sure each new employee receives the correct training at any given time.
• Labor-intensive. Training can be labor-intensive and time-consuming. In companies with regular turnover, it can be difficult to keep up. You have to constantly be training new employees.
• Costly. There are many programs out there dedicated to training employees. The prices vary depending on the type of training. Not all have the same features. Some offer pen testing, phishing simulations and more. One of the most well-known training companies is KnowBe4.

Security Awareness Training Programs

We put together the following list of some of the most popular training programs available today.

• Awarego
• Inspired eLearning
• KnowBe4
• Infosec Institute
• usecure
• Hutsix
• Cybsafe
• TechGuard
• CybeReady
• Dcoya

Perception Point Hack

You shouldn’t rely on employees to notice sophisticated phishing attacks themselves. Instead, we suggest following Gartner’s advice about installing extra security protocols.

Unfortunately, training is not going to stop the problem 100 percent of the time. And even with other security controls to prevent or contain an incident, there still may be a breach and cleanup. As with any control, the goal is to reduce the risk to an acceptable level, then live with the residual risk.

Train the Employee AND the Machine

Unlike a person, the Perception Point solution can tell when an email is a forgery, and send it straight to quarantine or deliver it with disabled links and warnings.