The modern enterprise, of any size, faces a complex and dangerous threat landscape. Compliance risk and security threats, both internal and external, have to be managed with a dizzying array of technologies, processes, and subject matter experts. The security industry and every major cloud service provider will tell you that end user phishing is the most common and most successful breach vector for any modern organization. Microsoft 365 Security, Compliance, Identity, and Management (M365 SCIM) provides an integrated, holistic solution to these existential risks, including phish prevention. In this blog, we want to share our best practices for creating an effective and actionable end user phishing training program.
Every organization should start with a robust technical solution to eliminate the vast majority of phishing attempts on your organization. Microsoft Defender for Office 365 is an excellent option. The organization should then focus on creating a robust and capable security operations and administration team that can react and respond to successful phishing attacks, which will inevitably happen. You should hire good security and compliance operators, and then equip them with the right tools and resources to manage those risks.
Finally, we believe every organization should have a data-driven phish training and behavior modification program in place to help their employees first understand how to correctly identify phishing attempts and to help them take the correct action when those threats are identified. Below, we lay out our recommendations for appropriate program goals, resources, simulation construction, training, and measuring success.
Phish training programs should have at least two main program goals:
There are several problems with only using static click through rates to measure susceptibility. Phish clicking susceptibility depends, profoundly, on the quality of the payload being used. Attackers are known to use very cheap, generic payloads targeted at any user and can achieve high success rates. Specially crafted, high-targeted payloads directed towards high-value individuals are very difficult to detect, and have scary-high success rates. The best phish simulation solutions will leverage real-world payloads for their simulations, but program administrators are sophisticated enough to make an educated guess at whether any given simulation payload will have a higher or lower click-through rate based on its 'complexity' or 'difficulty'. This means that payload quality is the primary driver of your click through metric, and not actual end-user susceptibility.
Phish training programs are a key element of any organizational strategy to address behavioral risk, but since the core mechanism behind these programs is interacting with your users in the same way that real world attackers are going to try to engage them, you should be very transparent and intentional in the creation of these programs. There are four key resources and dependencies you will need to fulfill to get your program up and running.
Once you have these four key resources and dependencies in place, you can now work through the actual execution and analysis of your program.
Stay tuned for Part 2 of this blog where we’ll cover Targeting, Frequency, Payloads, Training, Operationalization, and Measuring Success.
If you are interested in going deep to get strategies and insights about how to develop a successful security awareness training program, please join the discussion in this upcoming Security Awareness Virtual Summit on June 22nd, 2021, hosted by Terranova Security and sponsored by Microsoft. You can sign up to attend by clicking here.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.