Beyond Awareness: Security Training Alone Can’t Defend Against Phishing

Al Lyle
4 min readOct 3, 2023
Photo by Bermix Studio on Unsplash

A Digital Reality: Challenges of Phishing Attacks

Phishing attempts toward organizations have become commonplace, an unsettling fact we must accept in a digital world. But this acceptance doesn’t mean organizations shouldn’t protect themselves against such threats, it would be reckless and irresponsible not to. A successful phishing attack can cause irreparable harm to a business’s operations, finances, and reputation. It’s crucial to mitigate phishing attempts in a tiered fashion that minimizes the success of these attempts. This approach demands both recurring training and technical countermeasures. Relying on just one is a recipe for disaster. Moreover, the quality of these mechanisms must match the scale of the threat landscape.

I won’t delve into phishing statistics, as this information is readily available online and can become nuanced when considering different industries and verticals. What’s important to note is that attacks evolve and often (if not always) outpace the countermeasures in place. Therefore, it’s imperative that no single defense be relied upon. I’ll explain why.

Expecting Too Much: The Overreliance on Awareness Training

Some organizations believe they’re susceptible to phishing attacks due to a lack of security awareness. There’s some truth to this belief. Users, being naturally curious, often wanting to help others, and don’t wish to be singled out as the weak link. Security awareness training highlights phishing and fosters understanding, but it often doesn’t translate into consistent practice. Why? For many, it’s not a top priority, and they think, “We have an IT or cybersecurity department that handles that.” Is this belief justified? Perhaps.

While some IT and security personnel might disagree, there’s merit to this mindset. A finance analyst, for example, has their core role to focus on. While they should certainly be vigilant about phishing emails, it’s not their primary concern. Expecting constant heightened awareness is unrealistic.

There are voices that advocate for more frequent training, with consequences for lapses. However, this approach may lead to training fatigue, over-reporting of benign emails, decreased productivity, and even staff turnover. I’m not suggesting training is useless, but in security, prevention is the key.

Supporting Our Users: Combining Awareness with Actionable Safeguards

So, despite rigorous training, users still fall for phishing tactics. At the end of the day, that’s on management. Expecting flawless awareness from employees is unreasonable. You wouldn’t place undue expectations on a child, right? Overburdening them might leave you with a resentful or fearful individual. While I’m not equating users to children, the foundational principle holds.

To effectively address phishing, we need to set users up for success. By implementing strong technical countermeasures, we reduce the burden on users. They should watch for red flags like misspellings and suspicious links, but what if the attack is exceptionally sophisticated, with AI-generated content or obfuscated URLs? Should they be expected to dissect email headers?

It’s evident that users aren’t security experts. If they were, many professionals would be out of jobs. We need advanced security technologies from trusted vendors. Generic solutions are often no better than rudimentary spam filters.

Recommendation

My recommendation? Bi-annual general security awareness training for all staff, with additional sessions for key roles and executives. A top-tier mail security gateway, properly configured, should be the primary line of defense. This strategy will likely cut down on user errors, emergency responses, stress, and financial hits. Employing a defense-in-depth approach enhances our chances against malicious actors.

About the Author: Al Lyle (LinkedIn)

With over two decades in the IT and cybersecurity realm, Al Lyle stands as a seasoned veteran in the field. As the proud owner of Cyberpacket Technology Consulting, Al boasts an impressive array of credentials, including CISSP and C|EH certifications.

Al’s commitment to the world of cybersecurity and IT is not limited to the professional arena alone. He has imparted knowledge at the university level, teaching online undergraduate courses further nurturing the next generation of cyber professionals.

Holding a Master of Science in Information Technology with a focus on Information Assurance, Al’s expertise goes beyond just knowledge; it’s about application. He has held pivotal roles in IT and Cybersecurity Management. Moreover, his technical acumen shines through in his time served in Security Engineering, Security Operations, Digital Forensics, Cyber Threat Intelligence, and Vulnerability Management roles at a senior technical level.

Additionally, Al is the author of the book “Cybersecurity Simplified: In Less Than 100 Pages”, aiming to break down cybersecurity topics for readers of all backgrounds.

When it comes to cybersecurity, Al Lyle is more than just a professional — he’s a dedicated advocate, educator, and leader.

--

--

Al Lyle
Al Lyle

Written by Al Lyle

0 Followers

20+ yr IT/cybersecurity vet Al Lyle owns Cyberpacket Technology Consulting, has taught undergraduate online courses, and authored "Cybersecurity Simplified."