Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
This piece is part of our ‘Faculty Focus' series, an interview-style article where a member of the IANS Faculty shares firsthand, practitioner-based insights on an infosec topic. In this feature, Masha Sedova discusses common phishing awareness challenges and provides best practices to make the training process much more efficient and effective.
Masha Sedova is an award-winning cybersecurity expert, speaker, and trainer focused on helping companies transform their workforce from a security risk into a key element of cyberdefense. She is the co-founder and President of Elevate Security, delivering a first-of-its-kind platform that enables organizations to identify risky employees, reduce the likelihood of future incidents, and proactively defend their workforce while ensuring a productive business. In 2021, Fast Company named her one of the most creative people in business. Masha has been a member of the board of directors for the National Cyber Security Alliance and a regular presenter at conferences such as Blackhat, RSA, OWASP, and SANS.
Phishing continues to be one of the most common attack vectors for credential harvesting and ransomware. Despite frequent training and awareness simulations, many users continue to take the bait and click into increasingly sophisticated phishing lures.
Knowing that all it takes is just one user to cause a crippling organization breach, how can security teams improve phishing training, and what else can be done to prevent the phish from getting through?
Masha: There has been a growing trend of security teams asking ‘what’s next’ for their phishing programs. Many are even questioning whether it makes sense to continue the program. We can take a look at phishing programs currently
in place today to uncover the key challenges confronting organizations:
Keep in mind that employees will consistently fall into three phishing risk types:
Masha: Security teams can help users improve their phishing detection skills and set them up for success by implementing the following:
Implementing a ‘three-times you’re out’ rule and terminating repeat offenders is not recommended. It creates a culture of ‘security fear’ and significantly stifles productivity, putting employees in constant fear of evening
opening emails. Instead of seeing repeat offenders as “incompetent” - view these individuals as being more vulnerable and in need of additional security support. They are excellent candidates for additional security measures, controls,
and hardware (see paragraph above) to help protect them and the company. Communicate this special support to high-risk employees as necessary protection - similar to more body armor in a combat zone. You will help set them up for success as they will
learn how not to place themselves and the business in dangerous situations.
Masha: Most phishing programs will not see a huge improvement jump after the first year. Expect incremental phishing program steps rather than huge leaps, as this training needs to become muscle memory for many employees. For best results, keep
the following program tips in mind to evolve and tailor your phishing program to the organization:
Cybersecurity today is faced with a myriad of complex challenges, and the IANS Faculty will help you make informed
security decisions that protect your business.
Whether you need guidance on program direction, a tie-breaking opinion on architectural considerations, tool implementation advice, a comprehensive security assessment, a penetration test, or mapping controls to a regulatory standard, we are a trusted
partner to provide the best decision support for your security team.
Our mission is to help you make better, faster decisions, grow professionally, and stay compliant. Get in touch with IANS to learn more about how we can help move your security program forward.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
November 30, 2023
By IANS Research
CISOs, find guidance on what to focus on within the first 30 days, 6 months and first year of your tenure to ensure a fast, successful start.
November 28, 2023
Use this checklist of best practices, designed to help CISOs and cybersecurity leaders protect their organizations and avoid SEC compliance missteps.
November 21, 2023
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Organization and Compensation Benchmark Report. Gain valuable insights on functional leadership compensation to hire and retain top security talent.