What We Do
How we do it
Nov 22, 2021
Microsoft Exchange Vulnerability - CVE-2021-42321
THE THREAT eSentire has identified publicly available Proof-of-Concept (PoC) exploit code, for the critical Microsoft Exchange vulnerability CVE-2021-42321. CVE-2021-42321 was announced as part of Microsoft’s November Patch Tuesday release. Exploitation would allow a remote threat actor, with previous authentication, to execute code on vulnerable servers. Prior to the patch release, Microsoft…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Oct 28, 2021
Telarus and eSentire Expand Partnership to Safeguard Enterprises Globally Against Business Disrupting Ransomware and Zero-Day Attacks
London, UK and Sydney, Australia– Oct. 28, 2021 - eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), today announces the expansion of its partnership with Telarus, the largest privately-held distributor of business cloud infrastructure and contact centre services. Building on their mutual success across North America, Telarus will bring eSentire’s Managed…
Read More
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Apply today to partner with the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Blog — Oct 15, 2021

6 Reasons Why Phishing and Security Awareness Training Programs Fail

Speak With A Security Expert Now

The majority of devastating cyberattacks begin with a simple phishing email that tricks a user into helping the threat actor. To counter this threat, many companies provide employees and extended team members with some form of phishing and security awareness training (PSAT) as an important element of their cybersecurity program.

A comprehensive training and testing program leverages realistic threat scenarios to foster context-relevant (e.g., tailored to your industry and risks) security awareness that:

Unfortunately, most security awareness training initiatives fail to achieve the desired business outcomes, so understanding why these programs fail will help your organization get the most out of your own PSAT investments—and may ultimately make the difference between a close call and a disaster.

Most common reasons that security awareness training programs may fail

From speaking with countless businesses and organizations about their experiences with PSAT programs, we’ve identified six common causes of failure.

1. They lack explanation and context

Whether the restriction is “do not install unauthorized software” or “do not click on links”, top-down commandments that simply provide an endless list of what not to do nearly always lead to low employee engagement. Therefore, wrapping up these directives in PSAT training isn’t any different.

The solution: Explain why the training is important for your employees, and for the organization, and how the training fits into the broader cybersecurity plan. Tell your team why security policies are needed and about the potentially devastating consequences of installing unapproved software or opening attachments. In short, treat your team with respect and tell them “the why” before you get into the list of specifics.

2. They focus too much on phishing emails

These two statements are true at the same time:

While phishing emails should definitely receive considerable attention, it’s a mistake to overlook other tactics. Today’s threat actors are skilled at using a wide range of attack vectors, and they’re experts at targeting the specific tools used in your industry, poisoning search results, leveraging common information needs, and exploiting human nature.

The solution: Make sure your PSAT program is tailored to your industry and remains up to date with all the latest trends, regulatory requirements. The examples used should be precisely targeted because the real-world attacks will be.

3. They use generic content that lacks industry context

The examples within many PSAT programs often come from publicly available sources. As a result, they are exceptionally generic and unintentionally feed into two misconceptions:

  1. Phishing lures are self-evidently obvious (e.g., a Netflix account reset sent to a business address)

  2. The victim is at fault for not recognizing the obvious phishing attempt

The truth is that criminals are exceptionally skilled at targeting not only your industry, but also your specific organization. Popular, effective lures include:

However, these lures are not generic––they leverage information about suppliers and customers, trends and news within the industry, and even publicly available information (e.g., from regulatory documents, court filings, LinkedIn, etc.).

Attackers may know your internal hierarchies, complete with employee names and roles. They may even have set up websites to masquerade as legitimate members of the ecosystem.

The solution: Make sure your PSAT program is tailored to your industry and remains up to date with all the latest trends, regulatory requirements. The examples used should be precisely targeted because the real-world attacks will be.

4. Evaluating effectiveness focuses on execution metrics, rather than on outcome metrics

Once it’s time to report on the success of the PSAT program, many security teams spend time answering questions such as, “How many people have we trained? How many people were tested? What percentage passed? What was the average score?”

Although those metrics are easy to record and report, they’re also execution metrics—they measure what your team did and the efficiency with which they did it.

Unfortunately, these metrics can lead to a false sense of security and what’s more is that they don’t provide answers to important questions, such as:

The solution: When it comes to measuring PSAT effectiveness, emphasize business outcomes and behavior (e.g., the number of suspicious emails reported to IT, proactive communication with the security team, and the number of policy violations) ahead of execution metrics.

5. They systematically drive undesired behaviors

Many PSAT programs, and the cybersecurity initiatives under which they’re delivered, inadvertently encourage undesired behavior and discourage the desired behavior. For example, naming and shaming employees who are victimized creates an incentive for people not to report when they recognize they’ve made a mistake.

The solution: Take a lesson from the aviation industry’s playbook. Aviation is so safe because of policies that were consciously implemented to encourage ongoing learning, including gathering and analyzing data (through the use of black boxes) and ensuring that those who report incidents don’t face consequences for doing so.

6. They overlook risks and gaps at the executive level

Executives, the board, and other key employees (including people with access to non-public information) are sometimes overlooked or excused from training, which results in two major consequences. First, it sends the wrong message that cybersecurity isn’t everyone’s shared responsibility and second, it doesn’t keep these team members up to date on the latest threats and vulnerabilities.

Moreover, generic training programs don’t prepare senior leaders to recognize the highly targeted threats that they are likely to face.

The solution: The entire leadership team needs to recognize the importance of cybersecurity training. In fact, they need to model good behavior for the organization. At the same time, the PSAT program needs to meet the specific needs of the leadership group, recognizing that these individuals may be targeted with extremely sophisticated threats.

Parting words

Effective phishing and security awareness training is about up-levelling everyone’s risk awareness—rather than trying to turn everyone into security experts—and should exist within a culture of security that’s focused on outcomes.

After all, cybersecurity isn’t an IT problem to solve, it’s a business risk to manage.

To learn how eSentire’s Managed Phishing and Security Awareness Training can help drive behavioral change with your employees across your organization, book a meeting with a security specialist today.

View Most Recent Blogs

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.