Phishing awareness training misses the point
Security awareness training focused on phishing emails that involve clicking links completely misses the point.
Security awareness training focused on phishing emails that involve clicking links completely misses the point.
<Insert further ranting about unphishable MFA, passkeys and how awful security training as a whole is here>
Glad I was able to get that off my chest.
99% of what a phishing email with a malicious link tries to do is already preventable with phishing resistant authentication and endpoint protection. They massively reduce the likelihood of two major causes of breaches - compromised credentials and because Dan in support pulled a trojaned elden_ring_win11_crack2024.zip via a torrent on Tuesday.
Instead of phishing awareness training, has your team sat down with finance and walked through their controls and processes for sending money via wire?
The next generation of deep fakes and spearphish campaigns will be designed to target them specifically. While successful attacks are preventable, it will only be because of proactive control design and ensuring that your users understand the actual threats they face.
What can you do?
Make sure they know about deep fakes. Show an actual example to make it real. Stories stick in heads far better than your security policy does. Note this will be far more effective as a two way conversation with the team vs. yet another email from security about what to worry about.
Check out the validation process - if they get an invite to a Zoom from the CEO where she requests to wire money for a “top secret investment”, do they know how to validate that it’s real? For major or unusual requests, the team should be reaching out, using known good contact information to multiple parties to validate. It could be the CEO and CFO in this case.
Make sure the exec team is aware of this process and positively informs the finance team about it - People have a tendency to bow to authority, something CEO and CFO titles have plenty of. This means that even with a policy in place, people may override it when asked to do so directly by a senior leader. Leaders need to personally communicate the deepfake risk and that they expect the team to validate unusual requests before acting on them, even if the request comes from themselves.