It’s official: Phishing awareness training is almost futile. IT security professionals of the 2 largest banks in Canada said so last week at the SC Congress security conference in Toronto. Manish Khera, director of data protection, security consulting and application security at RBC Capital Markets said, “What I’ve learned is you can’t fix stupid,” and his colleague, Jeff Stark, director of cybersecurity at CIBC, agreed and added. “User awareness training doesn’t work, and should be abandoned.”
These people know what they are talking about. Their organizations spent time and money trying to train their users and raise awareness around phishing using a myriad of scare tactics. Everyone admits this is a daunting task that might take decades to show significant results. Someone even compared this to the historical fight to reduce smoking.
But only after several decades.
We can’t wait that long.
Organizations and businesses today don’t have the time to wait for their users to wise up. So some resort to unusual tactics, like shaming repeat offenders in front of their peers (not a brilliant idea if you want to foster trust between security and the rest of the organization). But in all honesty, we can only expect so much from employees – they are not professional IT security folks and have better things to do than think if they should or shouldn’t open an email. In fact, even employees of security companies sometimes fail this test, as illustrated by the RSA breach several years ago, when a phishing attack (and not a terribly ingenious one) caused a major black eye for a well-respected security company.
And even if we trust our users to thwart attacks, we need to assume that cyber criminals are devising new ways to deceive them. Unless automated technologies are deployed, organizations are doomed to face the same reality again and again: your defenses are not foolproof, and it only takes one foolish employee to fail an entire organization.