We all know that security awareness training is key to effective enterprise cyber security, after all it is the human element that often undermines considerable investment in state of the art technology.
One employee can unwittingly throw the door wide open to a would be attacker, or so we are led to believe. The problem is that today's fraudsters are smart, with social engineering attacks increasingly clever at deceiving even the most diligent. A sort of cyber 'sleight of hand', whereby an illusion of credibility, leads you to do something that you may later come to regret. What's more there is little accounting for seniority. Indeed it could be argued that the higher up the tree one goes, the more detached an individual becomes from day to day cyber security hygiene.
C-level Execs should now be well versed in the fall out that a cyber attack could bring upon their business, however I bet few consider that it could be them or one of their peers that leaves the door open so to speak.
This is why I'd argue that simulation should now be an integral component of any security awareness initiative. Far better that you are an unwitting victim of a phishing attack that has be initiated internally than to find out when you have been well and truly had by a far-flung crime syndicate! What's more - simulations can target an entire organisation, randomly and with no accounting for position in the corporate hierarchy.
By spotting those who fall for such attacks it is possible to identify weaknesses in your security education - not to mention those who are prone to making bad judgement calls when it comes to email management!
To address this, Foregenix has recently partnered with Thinkst Applied Research to deliver 'Phish5', a solution designed to facilitate regular, cost-effective phishing attack simulation to help you identify the sort of weaknesses that can have a significant financial (and reputational) impact on your business, yet should be pretty easy to address.
Companies should train midlevel and junior staff on cybersecurity more frequently to reinforce defensive behaviors. Our research found that only 38% of companies conduct training on a quarterly or biannual basis; the rest train annually or even less frequently. Additionally, most training only gives employees a 25% chance of successfully recognizing a cyber attack one month later. Executives should make it their prerogative to improve these training programs in order to reduce the likelihood of a successful penetration beyond the one-month mark. Training should include role playing, scripts that mimic real life attacks, and testing to assess effectiveness.