Stories in the press about corporate data breaches are now almost a daily occurrence. They delight in highlighting the latest horror story about a business that lost huge amounts of private data or millions in sales to the latest hack. Now that GDPR is in effect, they can also maximise attention by quoting worst-case fines of EUR 20M or more.

Despite all the money you spend on technical defences, you are still just one gullible user click away from a breach. Worse still, that user might be you! Recent surveys show that senior executives can be some of the biggest culprits for clicking on phishing links and opening malicious email attachments.

But the most effective strategy in combating this vulnerability is also one of the most poorly implemented – security awareness training. It is no longer good enough to run briefings while distracted staff eat lunch and catch up on social media; or send them a 2 minute video once a week which just skims the surface. Of course, the oldest strategy of hoping for the best is now a definite no-no.

With the right tools and training, your staff can be transformed into an extra layer in your defences: a “human firewall” who know what not to fall for and can report suspicions to your IT team with a single click.

Understanding the threat

According to a recent study by Osterman Research, four of the five leading concerns expressed by decision makers focus on email as the primary threat vector for cybercriminal activity.

The main email-based attack vectors include:

  • Phishing: Emails are sent to a large number of users simultaneously and attempt to extract sensitive information from unsuspecting users by posing as a bona fide source. This might be a bank, delivery company or a supplier. The ploy is to convince the user to click a link to infect their computer with a virus or go to a fake website and enter sensitive information such as login credentials, credit card details or personal information. Such information is of course used to steal money or support the next phase of the attack on your company.
  • Spear Phishing: This takes phishing to the next level. It is targeted at a specific individual or a small group, using data gleaned from researching the company on public sites, social media and from more basic phishing. The cybercriminals craft their messages using this background information to make them more believable and encourage the victim to click on the link quickly without stopping to think of the risks. As a consequence, the click rate for spear phishing is much higher than for phishing.
  • Executive Whaling: This term comes from the Vegas gambling terminology “whale” which means a gambler who
    has the means to make large bets in a casino. Cybercriminals reason that the potential payoffs are highest when compromising the computers/accounts of the most senior executives in a company.
  • CEO Fraud (aka business email compromise): this is often aimed at businesses which often make wire transfer payments. The culprits spoof the email of the CEO while they are travelling and send instructions to remit money urgently. By the time the CEO becomes aware, the money has gone and is usually irrecoverable.

The evolving value to the criminals

Cybercriminals are finding new ways to monetize successful attacks against businesses.

The FBI has estimated that ransomware generated revenue of $24 million in 2015 and $1 billion in 2016. A separate study estimated the figure for 2017 to be $5 billion.

The latest trend is cryptocurrency mining. In this case, by using the computing power of compromised machines, the criminals can create “crypto coins” which are untraceable and can be exchanged for hard cash. At first sight this might seem to have a low impact for the victim, but it has multiple costs including: increased electricity costs for infected computers; increased electricity costs for air-conditioning the office (busy computers generate more heat); reduced lifespan of infected computers (hot computers fail earlier); sluggish performance for genuine users leading to lower productivity or worse customer service.

Traditional defences cannot keep up

Cybercriminals are now organised and well resourced. They have the resources to create new and increasingly sophisticated attack methods. Traditional defences such as anti-virus software are having trouble keeping up with this level of innovation. Furthermore some recent attacks (such as CEO fraud) are malware-less so anti-virus software is no help with these.

All of this means that it is now more important than ever to make the most of your last line of defence: your staff.

In the UK, the Centre for the Protection of the National Infrastructure (CPNI) agrees and has created the Dont Take The Bait campaign based on the principle that if you can increase awareness of the scam techniques that are often deployed, then employees will be less likely to fall for them.

Security Awareness Training: traps to avoid

Most of us have had experience of poorly designed security awareness training, but it is still worth noting the key traps to avoid before we move on to our recommended approach.

Trap #1: Do nothing and hope for the best
If you are reading this, you already know this is not an option.

Trap #2: Attract staff to a lecture from IT with the offer of a free lunch
A one-way lecture often fails to engage the audience who can be distracted by their free lunch and catching up on emails/social media. It is hard to get enough information across before their attention wanders.

Trap #3: Monthly security videos
Scheduling training videos a long time apart means that important topics can go untouched for months. Long videos can quickly become a chore to be ticked off rather than a genuine chance to learn.

Trap #4: Selective phishing tests
Sending the same phishing test email simultaneously to a small number of employees does at least test those employees vulnerability to phishing. But it also encourages employees to game the system and warn their colleagues about it, skewing results and diverting attention from the intended lessons.

Security Awareness Training: Best Practices

Now let’s take a look at our recommended best practices and how to implement them in your organization.

Best Practice:#1: Use a coordinated campaign of training and phishing simulation
Training on its own isn’t enough. Simulated phishing of personnel on its own doesn’t work. Used together, they reinforce each other leading to greatly increased effectiveness.

Best Practice #2: Baseline your phishing susceptibility
Measuring the effectiveness of security awareness training has long been problematic. The key to knowing how much benefit you have gained is to have a solid baseline of your click-through rate before you begin. This can be accomplished easily. Send a simulated phishing email to a random selection of staff and see what proportion is tricked into clicking on a link, entering sensitive information or opening an attachment.

Best Practice #3: Gain management buy-in
All relevant departments in the organisation need to understand and buy into the process. In some organisations, there can be a desire to forewarn staff that a phishing test programme is planned. However, this is best avoided as the effectiveness of the campaign is significantly affected.

Best Practice #4: Conduct random-random phishing attacks
To avoid the problems mentioned earlier under Trap #4, it is important to ensure staff receive random (different) simulated phishing emails, at random times. This gives a much better metric to measure effectiveness.

Best Practice #5: Expect a rapid drop in click-through rates but don’t expect a miracle
The click-through rates often drop dramatically in the first 3 to 6 months of a campaign, then flatten off. Experience shows that it is very difficult to get below a click-through rate of around 2% in the long term. This is usually a huge drop from the baseline click-through rate and gives significant benefits to the organisation.

Best Practice #6: Avoid the blame game
A common concern about simulated phishing is that the results could be used in a witch hunt. Therefore, we recommend you don’t ever use results in this way. It is best to keep results general and use them to correct and train the organization as a whole as opposed to singling out specific individuals.

Best Practice #7: Continue testing frequently
Once your phishing click-through rate has stabilised, continue to test staff frequently to maintain that level. This lets you keep pace with changing tactics from the cybercriminals, and ensures new recruits develop the same wariness as their colleagues.

Best Practice #8: Make sure your training material is continually updated
Cybercriminals are continually evolving their techniques so your training materials must be updated continually to keep pace. It needs to balance theory and practice, including understanding the threats and how to apply that understanding on their day-to-day work.


Social engineering threats continue to evolve and technical defences are not keeping pace with the rate of change. Now, more than ever, you need to maximise the benefit from your last line of defence: your staff. With a well-designed security awareness program, you can transform your employees from your biggest risk into a “human firewall”.