A new study on user risk shows that employers are willingly conducting user awareness training, but only half of them follow-up with additional tests to gauge such training's effectiveness.
As network defenses grow stronger, and the gaps within those various layers of protection shrink, criminals are looking towards the soft targets, including employees, contractors, and customers, in order to launch an attack. Such knowledge isn't a secret, this is why user awareness training exists; it helps mitigate the risk associated with soft target attacks, including phishing and social engineering.
Earlier in the summer, CSO reported on a study that examined the risk associated by the soft targets working the helpdesk, but there's more to the problem than just one business unit within an organization.
It isn't just the fact that people are trained and expected to be helpful that makes such soft targets attractive to attackers; it's that they're left unaware of all of the potential attack surfaces they're part of.
According to the 2013 Verizon Data Breach Investigations Report, 29 percent of the attacks referenced by Verizon could be traced back to social tactics, such as phone calls, email, and social media (e.g. Facebook, LinkedIn, or Twitter). This type of data is often what drives awareness programs, and why companies spend money in order to teach employees how to spot Phishing scams and how to limit their exposure online.
However, teaching without testing opens a rather large gap in the overall usefulness of such programs. In a recent study published by Rapid7, based on responses from IT professionals representing more than 550 organizations, it was revealed that 66 percent of those firms conduct user awareness training, but only 33 percent of them actually follow that training with tests to measure effectiveness.
So in Rapid7's survey, the real story is that 50 percent of those surveyed admitted to having broken awareness programs. Going back to Verizon's data, Phishing accounted for at least 22 percent of all the reported incidents documented in the report. At the same time, the research points out that even the most targeted and malicious attacks an organization faces often rely on relatively simple techniques such as this to get started.
When it comes to making a dent in socially-based attacks, the organization needs to have awareness programs that teach and test, alongside common technical controls, such as email filtering and endpoint protections.
"The key to successfully lowering user risk via social engineering is to give users a chance to practice what they are taught," Rapid7 explains in a technical document on the topic.
Such practice can include internal Phishing campaigns that become more sophisticated over time. At first, users can be exposed to emails with poor grammar and punctuation, and a clearly false or modified corporate logo. However, over time, the emails get more and more legitimate looking, and use a focused tone in order to get the employee to comply with the message's requirements.
"Only if you teach users how attackers use social engineering to gain access to corporate resources can they spot the signs of a social engineering attack and be vigilant."
Unrelated to Rapid7, one company that has grown over the years when it comes to awareness programs and measurement is PhishMe.com. They're worth a look if your company teaches awareness, but doesn't test it.