The Misguided Solution to the Phishing Problem
Quick Answer
Awareness training reduces phishing clicks but cannot eliminate them, and cyber risk is binary: one click breaches the organization. KnowBe4 data shows continuous training across a full year takes the phish-prone rate to about 2 percent at best, and other research finds 1 in 4 employees know the security guidelines and ignore them anyway. Cost comparison for 150 employees per year: KnowBe4 training around 3,300 dollars; cloud-based phishing protection technology with real-time link scanning around 540 dollars. The lower-cost option is also more effective because it doesn't depend on human judgment under time pressure. Recommendation: run awareness training as the first line of defense for the residual cases, but invest in technical phishing protection first, since it stops the message before any user has to make a decision.
About a year ago, information security company Shred-it released a report saying “Employee negligence is the main cause of data breaches.” I have no doubt that’s true. The part I disagree with is the solution.
The solution that’s being promoted for the “employee” problem is phishing awareness training. And not just training, but MORE training. There’s only one problem with this way of thinking: it won’t eliminate data breaches.
Those in the know even admit this. According to a recent article in SC Magazine, when discussing employee education, Zvi Guterman, CEO of CloudShare said, “Best of all, reducing cyber incidents through education and training is achievable…” Did you see what he did there?
Employee awareness training will reduce, but not eliminate, cyber incidents. And that’s the problem. Until companies can get to zero cyber incidents, they have a cyber security problem. It only takes one breach.
Imagine these two extreme approaches to email security. In approach #1, the company uses no email security service, but every employee has awareness training. In approach #2, there’s email security technology in place to prevent phishing, but none of the employees receive any awareness training. Which approach do you think will be more effective?
We know from research, that after one year of continuous employee training, the best possible result is 98% effectiveness. And that’s when employees care about security. What we also know from research is that “1 in 4 workers are aware of security guidelines – but ignore them.” Still think training is the way to go?
There’s nothing wrong with awareness training. Every organization should have an ongoing educational program. But it’s not enough. Education alone will leave your company vulnerable for certain.
If your company is on a limited budget, the best investment you can make is phishing protection technology with real-time link click protection. Not only is it more effective at stopping phishing attacks, but it’s far cheaper than awareness training.
To train 150 employees for a year by training company KnowBe4 costs up to $3,300/year. To protect those same 150 employees for a year with phishing prevention technology costs only $540/year. That’s right, something that’s better actually costs less.
Phishing is a problem, we all agree. If you have the budget, purchase every form of protection you can, including training your employees. But the first thing you should invest in, if you want to keep your company’s data safe, is phishing protection with real-time link click protection.
General Manager
General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.
Secure your email infrastructure
Protect, authenticate, and deliver. Contact our team to find the right solution.