Whether it's downloading a malware-ridden email attachment or submitting their login details on harmful websites, an employee falling victim to a phishing scam is one scenario that can keep IT pros and business owners awake at night.
An increasingly effective approach for reducing this risk is through employee phishing awareness training, but what exactly does this type of training entail?
In this post, we'll cover:
- What is phishing awareness training?
- Why is phishing awareness important?
- What are the different types of phishing awareness training?
- How to get started with the right approach
What is phishing awareness training?
Phishing awareness training is the ongoing education provided to employees that helps them to understand how phishing works, how to spot the telltale signs of an attack and what secure actions they should take when they feel as though they've been targeted.
Many businesses conduct regular phishing awareness training to prevent users from compromising their credentials, downloading malicious attachments or sending sensitive information to an impersonator.
Why is phishing awareness so important?
There's a common misconception that phishing scams are easy to spot and that only people who are non-technical or naive would fall victim. There's also the false security of over-relying on technology to prevent phishing or thinking that "our business is unlikely to be a target".
The truth is, phishing attacks still work and are growing in prevalence and sophistication each year, with a combination of 'spray and pray' attempts mixed in with hyper-targeted spear-phishing attacks.
There are now nearly 75 times as many phishing sites as there are malware sites and nearly 36% of data breaches now involve phishing.
With these types of threats, it's vital for employees to be trained on how to spot and report phishing attacks before they can cause financial, operational or reputational damage.
After all, it only takes one successful phishing attempt to wreak havoc.
What are the different types of phishing awareness training?
There are many different types of channels, formats and techniques used to deliver this type of training, but the most common are:
- Computer-based training (CBT)
- Simulated phishing exercises
- Classroom-based training
Computer-based training (CBT)
Many of us will remember the days of sitting through one-hour security awareness PowerPoint presentations at work, blankly staring at the instructor as they broadcast a checklist of tips on "how to stay safe online".
Thankfully, training has become more effective (and less painful) since then.
Computer-based phishing awareness training is pretty much what it says on the tin — rather than sitting through a classroom-based session, employees can work their way through courses on their computers through a modernised 'eLearning' approach.
Here is an example training video taken from usecure's automated security awareness training platform, uLearn:
There are many benefits of computer-based phishing awareness training, including:
- It's quick — CBT often includes short courses that can be completed in minutes, with many studies showing that shorter training sessions contribute to improved knowledge retention.
- It's engaging — Modern phishing awareness training solutions often include video and interactive content, which can be powerful learning tools for helping users understand the risks with real-world examples.
- It's measured — CBT makes it easy to test what information the users have and haven't retained. Often, a quick follow-up quiz is all that's needed to measure how much information they've absorbed.
- It can be completed anytime — With meetings, annual leave and sick days, trying to haul all staff into the same presentation can be a nightmare. CBT can often be completed when the user has time, avoiding any missed sessions or hindrance to productivity.
Simulated phishing exercises
If computer-based training is the go-to for raising employee phishing awareness, then simulated phishing exercises are the go-to for giving staff a truly practical learning experience.
An employee phishing simulation exercise is used to assess which users are susceptible to an attack, giving them real-world experience whilst analysing how they would react in a phishing scenario.
This is usually done by replicating a well-crafted phishing email and tracking which people input their login details or download a 'harmful' attachment.
Here is an example of a phishing template taken from usecure's simulated phishing tool, uPhish:
Seems like quite a legitimate email, right? We'll, 39% of the employees in this simulation thought so:
Here are some of the benefits of simulated phishing exercises:
- Baseline your training — Analysing which employees are vulnerable to phishing at the start of their computer-based training gives you a useful metric for measuring progress at a later date.
- Highlight where additional training is needed — Deploying periodic simulations enable businesses to detect users that are at risk of falling victim and who may need some extra training.
- Measure the impact of training — Deploying phishing simulations before and after employee training provides a useful insight into how effective their awareness training has been.
An old-school form of training, some businesses still use classroom-based sessions to deliver anti-phishing education. There are, however, some key differences between this approach and the computer-based approach:
- Can be more expensive — A specialised security awareness training instructor is often needed for these sessions, where costs can vary.
- Can be time-consuming — These sessions require preparation time and often need all employees to be present at the same time (which can be a logistical headache, to say the least!).
- Training is less targeted — Classroom-based training is often delivered through PowerPoint presentations in a programmatic and tick-box style, meaning that all staff are given the same material regardless of knowledge, job role or seniority.
Studies have indicated that retention of certain subject matter may be up to 250% greater with computer-based training, rather than a classroom-based model.
Merrill Lynch, The Book of Knowledge
Get started with the right approach
Having helped businesses across the globe reduce their employees' human cyber risk, usecure knows what it takes to truly drive employee phishing awareness.
That's why we always urge businesses to include phishing awareness into a broader employee security awareness training program that encompasses a wide range of security topics — for example, password hygiene, social engineering and handling data securely.
Learn more about launching effective phishing and security awareness training with usecure's free 2021 guide below, or try usecure's security awareness training courses with a free 14-day trial.