To make training stick, immerse employees

When aspiring pilots go through flight school, they learn both in a conventional ground setting and using a flight simulator. On the simulator, new pilots are immersed in the experience of flying, and receive real-time feedback about their decision making. Not surprisingly, the simulator is seen as a more effective training tool than conventional classroom training.

One of the greatest challenges facing security awareness initiatives is providing employees with an experience they will actually remember and retain. Training users to avoid risky security behavior is not nearly as complicated as teaching someone to fly a plane, but just like with pilots, immersive training that simulates the kind of attack methods employees face is a more effective way to conduct security awareness.

An untapped resource to improve threat detection

Speaking in front of the House Committee on Special Intelligence earlier this year, Kevin Mandia (CEO of Mandiant) remarked that, “One of the most valuable resources in detecting and responding to cyber attacks is accurate and timely threat intelligence.”  Despite its value, many organizations don’t have a way to get timely threat intelligence.

How can organizations improve in this area? If you know anything about us, it probably won’t shock you that we’re encouraging enterprises to focus on their users as a source of real-time threat intelligence. Given that the vast majority of targeted attacks focus on the end user as the primary point of entry, many compromises go through employees first, making them a potential (and largely untapped) source of intelligence about threats. Up until now, however, we’ve focused solely on the end user’s ability to recognize cyber attacks. We’ve proven users can be trained to improve their behavior toward phishing attacks, and we believe they are capable of more.

How to defend against longline phishing attacks

A report from ProofPoint released at the RSA conference discussed what is supposedly a new phishing technique dubbed “longline” phishing.  The report touts “longlining” as the newest way criminals are sending phishing emails in efforts to bypass technical controls.  Mass customization of emails allows criminals to fly under the radar of most email filters and successfully deliver spear-phishing emails to a larger number of email users at a single organization.  This tactic combines the best of both worlds from the criminal’s standpoint, but it doesn’t really change the game in terms of defending against phishing attacks, as your users still provide the most effective line of defense against the phishing threat.

Whether “longline” phishing is actually a new type of attack or not, Security Officers should focus on the fact that adversaries will continue to modify their attack strategies to circumvent or evade technical controls in an attempt to directly exploit humans. This is why it’s increasingly critical for organizations to invest in proven and effective behavioral change programs that educate users about the attacks that target them.