Phishing attacks illustrate failure of security awareness training, survey says

As Black Hat attendees were buzzing over a recent CSO guest column by Immunity Inc. CEO Dave Aitel in which he dismissed the value of security awareness training, security vendor PhishMe decided to conduct a survey. In it, attendees acknowledged that if recent phishing trends are any indication, Aitel was right.

PhishMe interviewed 250 security professionals during the Black Hat USA conference in Las Vegas July 24-26, and more than two thirds said  they encounter phishing messages that get past anti-spam filters and reach users’ email boxes at least a few times a week.

Also see: “Why you shouldn’t train employees for security awareness,” by Dave Aitel

Almost a quarter of the respondents said they see such messages in users’ mailboxes multiple times every day.

“Many enterprises believe that because they are using spam filtering tools or other email security technologies, they are safe from phishing attacks,” said Scott Greaux, VP of product management & services at PhishMe, which offers a service that simulates phishing attacks to help train users on how to react to them. “What we found in our survey is that despite such filters, end users are presented with live, malicious attacks in their inboxes nearly every day.”

Also see: “Phishing: The Basics“

Spear phishing has become a popular method of infecting enterprises with malware,according to PhishMe. In the survey, more than one quarter (27 percent) of security professionals said that top executives or other privileged users in their enterprises have been compromised by spear phishing attacks within the last 12 months. Another 31 percent of security pros said they weren’t sure whether their executives or privileged users had been hit with such attacks.

More from the report:

With so many unfiltered phishing messages getting through, it is up to the end user to decide how to react — whether to open the message, click on a link, or delete the message before it can do any damage. But PhishMe’s survey of Black Hat attendees indicates that most end users receive only a bare minimum of security awareness training. Nearly half (49 percent) of the respondents said their users receive training only once a year; nearly one tenth (9 percent) said their organizations have no security training programs at all.

Among organizations that do provide security training programs, many rely heavily on scripted, delayed forms of instruction that do not provide metrics to program managers and administrators, the survey said. In fact, three of the top four training methods listed by Black Hat attendees — recorded video/computer-based training (39.3 percent), paper tests/quizzes (32.9 percent), and handbooks/printed guides(28.5 percent) — are largely unsuccessful. Only 16 percent of security professionals train their users via simulated attacks (multiple responses were allowed).

My quick takeaway: The message isn’t that security training is a waste of time. It’s that the current methods are sometimes inadequate.

Also see: “Security awareness can be the most cost-effective security measure“

Of course, even with the best training money can buy, it’s still an uphill battle dealing with human nature. When you’re up to your eyeballs in work you start looking for shortcuts. In the process, you forget your training.

Discuss amongst yourselves.