Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Customer testimonials and case studies.
Stories on cyberattacks, customers, employees, and more.
Cyber incident, analyst, and thought leadership reports.
Demonstrations, seminars and presentations on cybersecurity topics.
Information and solution briefs for our services.
MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more
The majority of devastating cyberattacks begin with a simple phishing email that tricks a user into helping the threat actor. To counter this threat, many companies provide employees and extended team members with some form of phishing and security awareness training (PSAT) as an important element of their cybersecurity program.
A comprehensive training and testing program leverages realistic threat scenarios to foster context-relevant (e.g., tailored to your industry and risks) security awareness that:
Drives security awareness and behavioral change: Reduce the risk of phishing-based intrusions with user-specific training
Tests user resiliency: Test user ability to identify and avoid the latest phishing tactics and campaigns
Identifies and measures improvement: Identify high-risk users and groups, and reduce risk associated with their privileges and access
Alleviates resource constraints: Reduce the burden on security teams to deliver training and to manage security operations
Meets regulatory requirements: comply to state, industry and professional regulations and obligations
Unfortunately, most security awareness training initiatives fail to achieve the desired business outcomes, so understanding why these programs fail will help your organization get the most out of your own PSAT investments—and may ultimately make the difference between a close call and a disaster.
From speaking with countless businesses and organizations about their experiences with PSAT programs, we’ve identified six common causes of failure.
Whether the restriction is “do not install unauthorized software” or “do not click on links”, top-down commandments that simply provide an endless list of what not to do nearly always lead to low employee engagement. Therefore, wrapping up these directives in PSAT training isn’t any different.
The solution: Explain why the training is important for your employees, and for the organization, and how the training fits into the broader cybersecurity plan. Tell your team why security policies are needed and about the potentially devastating consequences of installing unapproved software or opening attachments. In short, treat your team with respect and tell them “the why” before you get into the list of specifics.
These two statements are true at the same time:
Most successful cyberattacks begin with a phishing email
Most PSAT training focuses too much on phishing emails
While phishing emails should definitely receive considerable attention, it’s a mistake to overlook other tactics. Today’s threat actors are skilled at using a wide range of attack vectors, and they’re experts at targeting the specific tools used in your industry, poisoning search results, leveraging common information needs, and exploiting human nature.
The solution: Make sure your PSAT program is tailored to your industry and remains up to date with all the latest trends, regulatory requirements. The examples used should be precisely targeted because the real-world attacks will be.
The examples within many PSAT programs often come from publicly available sources. As a result, they are exceptionally generic and unintentionally feed into two misconceptions:
Phishing lures are self-evidently obvious (e.g., a Netflix account reset sent to a business address)
The victim is at fault for not recognizing the obvious phishing attempt
The truth is that criminals are exceptionally skilled at targeting not only your industry, but also your specific organization. Popular, effective lures include:
Payment requests and invoices
Legal threats and actions
Shipment tracking and delivery
Tax and HR employee data requests
COVID-19 and election information
However, these lures are not generic––they leverage information about suppliers and customers, trends and news within the industry, and even publicly available information (e.g., from regulatory documents, court filings, LinkedIn, etc.).
Attackers may know your internal hierarchies, complete with employee names and roles. They may even have set up websites to masquerade as legitimate members of the ecosystem.
The solution: Make sure your PSAT program is tailored to your industry and remains up to date with all the latest trends, regulatory requirements. The examples used should be precisely targeted because the real-world attacks will be.
Once it’s time to report on the success of the PSAT program, many security teams spend time answering questions such as, “How many people have we trained? How many people were tested? What percentage passed? What was the average score?”
Although those metrics are easy to record and report, they’re also execution metrics—they measure what your team did and the efficiency with which they did it.
Unfortunately, these metrics can lead to a false sense of security and what’s more is that they don’t provide answers to important questions, such as:
Are we reducing our risk?
Have we reduced operating costs?
Have we freed up IT expertise to direct their efforts to other threats?
The solution: When it comes to measuring PSAT effectiveness, emphasize business outcomes and behavior (e.g., the number of suspicious emails reported to IT, proactive communication with the security team, and the number of policy violations) ahead of execution metrics.
Many PSAT programs, and the cybersecurity initiatives under which they’re delivered, inadvertently encourage undesired behavior and discourage the desired behavior. For example, naming and shaming employees who are victimized creates an incentive for people not to report when they recognize they’ve made a mistake.
The solution: Take a lesson from the aviation industry’s playbook. Aviation is so safe because of policies that were consciously implemented to encourage ongoing learning, including gathering and analyzing data (through the use of black boxes) and ensuring that those who report incidents don’t face consequences for doing so.
Executives, the board, and other key employees (including people with access to non-public information) are sometimes overlooked or excused from training, which results in two major consequences. First, it sends the wrong message that cybersecurity isn’t everyone’s shared responsibility and second, it doesn’t keep these team members up to date on the latest threats and vulnerabilities.
Moreover, generic training programs don’t prepare senior leaders to recognize the highly targeted threats that they are likely to face.
The solution: The entire leadership team needs to recognize the importance of cybersecurity training. In fact, they need to model good behavior for the organization. At the same time, the PSAT program needs to meet the specific needs of the leadership group, recognizing that these individuals may be targeted with extremely sophisticated threats.
Effective phishing and security awareness training is about up-levelling everyone’s risk awareness—rather than trying to turn everyone into security experts—and should exist within a culture of security that’s focused on outcomes.
After all, cybersecurity isn’t an IT problem to solve, it’s a business risk to manage.
To learn how eSentire’s Managed Phishing and Security Awareness Training can help drive behavioral change with your employees across your organization, book a meeting with a security specialist today.
eSentire, Inc., the Authority in Managed Detection and Response (MDR), protects the critical data and applications of 2000+ organizations in 80+ countries, across 35 industries from known and unknown cyber threats by providing Exposure Management, Managed Detection and Response and Incident Response services designed to build an organization’s cyber resilience & prevent business disruption. Founded in 2001, eSentire protects the world’s most targeted organizations with 65% of its global base recognized as critical infrastructure, vital to economic health and stability. By combining open XDR platform technology, 24/7 threat hunting, and proven security operations leadership, eSentire's award-winning MDR services and team of experts help organizations anticipate, withstand and recover from cyberattacks. For more information, visit: www.esentire.com and follow @eSentire.