Year after year, we hear stories of companies getting breached. And those same breaches tend to coincide with a user losing their credentials through a phishing attack. Why does this happen? Because it's the path of least resistance for an attacker. Why are phishing attacks so easy?
Phishing is easy because Email is flawed.
Not to date myself too much, but the user experience within email clients has improved drastically in the time I have been using it. Some of those very user friendly innovations like Display Names and clickable hyperlinks make email look great, but hide the true identities behind the sender. Links can easily be faked, and sender identities are spoofed easily and frequently.
Emails are not meant to be an authenticated means of communication. Until we do a better job of verifying a sender's identity systematically, our users need to be skeptical about what an email contains.
They can only LEARN to be skeptical through education. Our results from 3 years of running a phishing education platform shows a huge reduction in risk. On average, a company that starts our program has about a 30% rate of users clicking the links in our simulation emails. After 6 months, that rate averages 2%. Taking into account most companies have more than a 2% turnover rate, this is a pretty impressive result.
This is because our platform is built around learning styles, not just around legitimizing a hacking tool. (More to come on this subject in my next blog post)
Lots of information security pundits have called security education a "waste of time" and "ineffective". And if you're going to do a once per year PowerPoint or online session that a user does while eating lunch and texting their kids, they're probably right. Combining a training session with quizzes and regular, experiential learning on the job covers much more and provides real learning. These systems work, and have worked for our customers for several years.