The short answer is phishing testing! Even the best-trained employees are human and can make mistakes by clicking on a well-crafted phishing email. The goal of testing is to track, adjust, and improve the training strategy. It also provides insights for management on the effectiveness of the investment in security training, that you can compare with other companies in your industry. Some organizations may feel the need to reprimand employees that click on simulated phishing emails. This has proven to be counterproductive. Security training needs to increase a staff’s security awareness – certainly; but more importantly, it needs to change employee behavior and help create a security-minded culture. So how do you know security training is changing behaviors? The Threat of Toll Fraud Persists Irwin Lazar September 16, 2019 With a toll fraud prevention and mitigation strategy, enterprises can identify and mitigate potential toll threats – sometimes before they even happen. The Not-So-Private Elevator Martha Buyer August 20, 2019 Though not a commonly known exploit, hackers can eavesdrop on elevator conversations – exposing individuals and potentially enterprises to security risks. This sort of testing can evaluate an employee’s real-time awareness of spam, phishing, spear-phishing, malware, ransomware, and social engineering mechanisms aimed at tricking them into acting on malicious emails. Sending and tracking of simulated phishing and spear-phishing emails to employees regularly is generally accepted as a good real-time test, often referred to as phish-prone testing.Some phish-prone testing systems can provide real-time feedback to employees when they click or report phishing emails. Clicking on a simulated phishing email can direct them to a video that will help them identify malicious emails in the future. When they report it, the systems provide positive feedback. Cybercriminals are good at creating phishing and spear-phishing email scams, but they wouldn’t get anywhere without someone opening their emails. Recent reports have indicated that over 90% of security breaches are the result of human error, predominately resulting from phishing and spear-phishing attacks. Most organizations today provide some sort of security-awareness training for employees. But is it effective? Making Time for TrainingTraining modules are often low on the priority list, as employees are busy doing their jobs. The goal is to positively reinforce employees that do take the training. We’ve seen pizza lunches, gamification, and other perks work well to reward employees for participating in security training. Seeing these perks motivates their peers to put a higher priority on their own training. Keeping Your Communications Systems Safe Takes Practice Gary Audin August 29, 2019 Don’t assume you’re ready for a security attack if you’ve never exercised what you have in place. The overall goal is to change employee behaviors and develop a culture of security within the organization. Tracking the level of organizational vulnerability is an effective way to help make improvements and adjustments to training programs. Continuous iterative testing and training will improve “human” firewalls over time — reducing security risks and improving your IT security’s defense. security-2910624_1920.jpg Log in or register to post comments Security training is never going to be something your employees sit down and binge-watch on a Saturday evening; however, it doesn’t have to be boring. There are many cost-effective sources of engaging and interesting training content, some that are almost like a Netflix video series with good acting and high-production quality. Engaging, well-produced training content will improve retention and make it easier for employees to put training higher on their priority list. In conjunction with testing and training activities, it’s advantageous to strengthen your organization’s detection and response capabilities. Properly trained employees will be able to identify malicious emails and should have a simple way of reporting these emails to the security team. A button within the email application can simplify this reporting. sctcperspective_Small.png See All in Security » IT Security Refresh: The Cyber Defense Matrix Terry Slattery October 02, 2019 With the Cyber Defense Matrix, enterprises can measure their security coverage and discover gaps in their IT strategy. “SCTC Perspectives” is written by members of the Society of Communications Technology Consultants, an international organization of independent information and communications technology professionals serving clients in all business sectors and government worldwide.Tags:News & ViewsNetwork Securityenterprise security strategySecurity awareness trainingSecurityMonitoring, Management and SecuritySCTCSecurity Articles You Might Like Staff also need to know that if they do make the mistake of clicking on a malicious email that they know how to respond. Typically, this would be to shut down their computer and report the event to the security team. The security team needs to have a response or treatment plan that deals with the event and gets the employee back to work as quickly as possible. Make Teams, Slack, Other Collaboration Tools Ultra-Secure Sorell Slaymaker August 21, 2019 Read how Hotshot adds location and time elements to its MFA strategy and discover how you can protect your enterprise with a zero-trust architecture. 5 Steps for Creating Effective TestsTo be able to effectively track your organization’s path to a secure culture you need to take an iterative approach of testing and training. Steps on creating effective tests are:Complete baseline testing prior to training.Train your users on a regular basis and track training module completion.Phish test users with simulated phishing and spear-phishing attacks and track the click and open rates.Provide positive reinforcement for staff that complete training and recognize malicious emails.Monitor and report metrics to management on a regular interval.Using this approach, phish-prone metrics (users that click) indicate that initial baseline testing has a 30% click rate, but after three months of training, this drops to 15%, and after one year, it drops to 2% of staff clicking on the simulated phishing emails, according to a “2019 Phishing By Industry Benchmarking” report by KnowBe4. Testing is a valuable tool to develop metrics and to track trends over time to determine if behaviors are changing. Organizations also need to conduct testing in conjunction with routine training to educate staff on the latest techniques of which to be wary. Phish-prone Tests in the EnterpriseSecurity awareness testing shouldn’t just be about having employees answer multiple-choice questions at the end of a training module. Phishing testing is a friendly attack on your employees that mimics the tactics of the hacking community. The difference is that it’s a non-malicious, “safe” attack that measures the effectiveness of security training. Testing needs to evaluate changes in behaviors.