Phishing attacks are on the rise, according to research for the “2021 State of the Phish” report from Proofpoint. Nearly three-quarters (74%) of organisations experienced a successful phishing attack last year. That’s a year-over-year increase of 14%.
Attackers are using relevant themes—like the pandemic and tax season—to prey on human vulnerability. And they’re applying an array of phishing tactics, including credential phish sites, malicious links and attachments, and business email compromise (BEC), to compromise victims.
There’s no silver bullet to stopping phishing threats. It takes a multi-layered, integrated approach that includes prevention, visibility and response. In this blog, we’ll focus on how an effective phishing awareness training programme can empower your people to help protect the organisation.
Phishing awareness training: limited time available, so maximise the impact
Figure 1. The annual time budget allocated for security awareness programmes tends to be under two hours per user per year (Source: “2021 State of the Phish”)
More than two-thirds of organisations surveyed for the “2021 State of the Phish” report said they have two hours or less per user per year to make an impact on their users’ behaviour. And phishing is only one component of a security awareness programme, with many compliance regulations, privacy laws and topics like cloud applications and data protection also needing attention.
Figure 2. More organisations are conducting more frequent and formal security awareness training sessions, with over 80% conducting at least quarterly training (Source: “2021 State of the Phish”)
That’s why making the best use of your limited training time is critical. Our annual “State of the Phish” survey shows that security awareness cadences are increasing each year. That’s good news, as phishing awareness skills tend to fade 4-6 months after education, according to a German study. Ongoing programme engagements can help to improve the retention of phishing skills.
Let’s look at three areas of strategy—the right people, right education and right response—for increasing phishing awareness. With these core pillars driving your phishing training programme, you can significantly and positively impact your organisation’s risk posture.
Finding the right people
All employees should have ongoing phishing simulations and education to keep their skills sharp. We recommend simulations at least every 4-6 weeks for all users. But sometimes, supplemental phishing education is needed for riskier users.
Take a deeper dive into phishing simulations
Traditionally, phishing awareness training programmes focus on the risk of users who have engaged with phishing simulations. That’s a good start. But when organisations understand data about who is being targeted or engaging with actual attacks, it means they can focus their programme on real risk.
Proofpoint takes a new and fresh approach to security education initiatives by using real data from your email environment through our Targeted Attack Protection Guided Training integration. We employ the data from our advanced email security product to identify the riskiest people—or Very Attacked People (VAPs)—in your organisation based on how they’re being targeted, threat actor sophistication, type of attack and overall attack volume. Each person gets a score and an overview of all the threats targeting them.
Figure 3. Sample data from a VAPs report in the Proofpoint Targeted Attack Protection advanced email security dashboard
If this integration isn’t available to you, work with your email security team to find data about people being attacked or those who have fallen for actual phishing attacks. That way, you can focus your phishing awareness programme on the people who need it most.
Providing relevant phishing education with impact
Attackers are constantly using new templates, lures and techniques to try to trick users. You can target users who are very attacked by real phishing attacks with actual templates seen by Proofpoint threat intelligence; that can help increase the relevance of your user assessments and education.
Figure 4. Examples of Proofpoint phishing simulation tool templates
Phishing simulations are primarily assessments—and an indication to users that they’re vulnerable to these attacks. The landing page that prompts users when they engage with simulations usually stays open for no more than a few seconds, however.
An educational component can help improve retention and teach skills to spot phishing attempts, like double-checking the sender and hovering over and examining links for legitimacy. An example of this type of education is our Attack Spotlight content. We look at real phishing lures affecting organisations and then build a short educational module (about two to three minutes) around a specific threat.
Figure 5. Example of educational module in Proofpoint Attack Spotlight content
We can also help you maximise your annual security awareness time budget with education that focuses only on those users who fall for a phishing simulation or who have engaged with or been targeted by a real phishing threat.
Make sure the phishing awareness content you use suits your organisation’s style, whether it’s more corporate or humorous. And customising the content, so you can tailor wording and imagery and even add links to policies, will help improve the relevance and impact of your user education.
Finally, if your organisation is multinational, be sure to provide localised and translated phishing training content for users in different countries. A best practice is to identify a reviewer in each region and have them review the content in advance to make sure the template or education will suit the target audience.
Give users tools to respond to phishing attacks
Avoiding phishing attacks is good, but having users actively reporting phishing attacks is even better. In phishing awareness programmes, the “click rate”—or the percentage of users who click/fail a phishing simulation—is a popular reporting metric.
We highly recommend implementing a phishing reporting tool that lets users essentially become a part of the IT security team. Not only do these tools help reduce vulnerability, but they also provide a deeper understanding of user behaviour. Accurate reporting of a potential phish means your users not only recognise what to avoid, but they also know what to do when they see a suspicious message.
Figure 6. Examples of high reporting rates and low failure rates
There’s a lot to read about metrics and benchmarks for security awareness training. But a general rule of thumb for high-performing programmes is to consistently have less than 5% of users fall for a simulation, but over 70% of users report it with the email reporting tool.
Is your phishing awareness programme working?
You’ve followed the best practices, conducted timely simulations, provided education, hosted in-person webinars, sent out emails and even implemented consequences for phishing simulations. But if you’re still struggling to move the needle and reduce user phishing vulnerability, we’re here to help.
With the People Risk Assessment from Proofpoint, you’ll learn:
- Which users have the best and worst security knowledge
- How your organisation’s score compares to others in your industry
- Detailed information on your people-centric risk posture broken down by department, region and more
This free assessment can get you on the path to security awareness and phishing awareness success.
Learn more about the People Risk Assessment here.