What We Do
How we do it
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
Jun 01, 2023
Critical Vulnerability in MOVEit Transfer
THE THREAT eSentire is aware of reports relating to the active exploitation of a currently unnamed vulnerability impacting Progress Software’s managed file transfer software MOVEit Transfer.…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Mar 20, 2023
Exertis and eSentire Partner to Deliver 24/7 Multi-Signal MDR, Digital Forensics & IR Services and Exposure Management to Organisations Across the UK, Ireland, and Europe
Basingstoke, UK– 20 March, 2023. Leading technology distributor, Exertis, announced today that it has bolstered its cybersecurity services, adding eSentire, the Authority in Managed Detection and Response (MDR), to its Enterprise portfolio of offerings. eSentire’s award-winning, 24/7 multi-signal MDR, Digital Forensics & Incident Response (IR), and Exposure Management services will be available…
Read More
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Blog — Oct 15, 2021

6 Reasons Why Phishing and Security Awareness Training Programs Fail

5 minutes read
Speak With A Security Expert Now

The majority of devastating cyberattacks begin with a simple phishing email that tricks a user into helping the threat actor. To counter this threat, many companies provide employees and extended team members with some form of phishing and security awareness training (PSAT) as an important element of their cybersecurity program.

A comprehensive training and testing program leverages realistic threat scenarios to foster context-relevant (e.g., tailored to your industry and risks) security awareness that:

Unfortunately, most security awareness training initiatives fail to achieve the desired business outcomes, so understanding why these programs fail will help your organization get the most out of your own PSAT investments—and may ultimately make the difference between a close call and a disaster.

Most common reasons that security awareness training programs may fail

From speaking with countless businesses and organizations about their experiences with PSAT programs, we’ve identified six common causes of failure.

1. They lack explanation and context

Whether the restriction is “do not install unauthorized software” or “do not click on links”, top-down commandments that simply provide an endless list of what not to do nearly always lead to low employee engagement. Therefore, wrapping up these directives in PSAT training isn’t any different.

The solution: Explain why the training is important for your employees, and for the organization, and how the training fits into the broader cybersecurity plan. Tell your team why security policies are needed and about the potentially devastating consequences of installing unapproved software or opening attachments. In short, treat your team with respect and tell them “the why” before you get into the list of specifics.

2. They focus too much on phishing emails

These two statements are true at the same time:

While phishing emails should definitely receive considerable attention, it’s a mistake to overlook other tactics. Today’s threat actors are skilled at using a wide range of attack vectors, and they’re experts at targeting the specific tools used in your industry, poisoning search results, leveraging common information needs, and exploiting human nature.

The solution: Make sure your PSAT program is tailored to your industry and remains up to date with all the latest trends, regulatory requirements. The examples used should be precisely targeted because the real-world attacks will be.

3. They use generic content that lacks industry context

The examples within many PSAT programs often come from publicly available sources. As a result, they are exceptionally generic and unintentionally feed into two misconceptions:

  1. Phishing lures are self-evidently obvious (e.g., a Netflix account reset sent to a business address)

  2. The victim is at fault for not recognizing the obvious phishing attempt

The truth is that criminals are exceptionally skilled at targeting not only your industry, but also your specific organization. Popular, effective lures include:

However, these lures are not generic––they leverage information about suppliers and customers, trends and news within the industry, and even publicly available information (e.g., from regulatory documents, court filings, LinkedIn, etc.).

Attackers may know your internal hierarchies, complete with employee names and roles. They may even have set up websites to masquerade as legitimate members of the ecosystem.

The solution: Make sure your PSAT program is tailored to your industry and remains up to date with all the latest trends, regulatory requirements. The examples used should be precisely targeted because the real-world attacks will be.

4. Evaluating effectiveness focuses on execution metrics, rather than on outcome metrics

Once it’s time to report on the success of the PSAT program, many security teams spend time answering questions such as, “How many people have we trained? How many people were tested? What percentage passed? What was the average score?”

Although those metrics are easy to record and report, they’re also execution metrics—they measure what your team did and the efficiency with which they did it.

Unfortunately, these metrics can lead to a false sense of security and what’s more is that they don’t provide answers to important questions, such as:

The solution: When it comes to measuring PSAT effectiveness, emphasize business outcomes and behavior (e.g., the number of suspicious emails reported to IT, proactive communication with the security team, and the number of policy violations) ahead of execution metrics.

5. They systematically drive undesired behaviors

Many PSAT programs, and the cybersecurity initiatives under which they’re delivered, inadvertently encourage undesired behavior and discourage the desired behavior. For example, naming and shaming employees who are victimized creates an incentive for people not to report when they recognize they’ve made a mistake.

The solution: Take a lesson from the aviation industry’s playbook. Aviation is so safe because of policies that were consciously implemented to encourage ongoing learning, including gathering and analyzing data (through the use of black boxes) and ensuring that those who report incidents don’t face consequences for doing so.

6. They overlook risks and gaps at the executive level

Executives, the board, and other key employees (including people with access to non-public information) are sometimes overlooked or excused from training, which results in two major consequences. First, it sends the wrong message that cybersecurity isn’t everyone’s shared responsibility and second, it doesn’t keep these team members up to date on the latest threats and vulnerabilities.

Moreover, generic training programs don’t prepare senior leaders to recognize the highly targeted threats that they are likely to face.

The solution: The entire leadership team needs to recognize the importance of cybersecurity training. In fact, they need to model good behavior for the organization. At the same time, the PSAT program needs to meet the specific needs of the leadership group, recognizing that these individuals may be targeted with extremely sophisticated threats.

Parting words

Effective phishing and security awareness training is about up-levelling everyone’s risk awareness—rather than trying to turn everyone into security experts—and should exist within a culture of security that’s focused on outcomes.

After all, cybersecurity isn’t an IT problem to solve, it’s a business risk to manage.

To learn how eSentire’s Managed Phishing and Security Awareness Training can help drive behavioral change with your employees across your organization, book a meeting with a security specialist today.

View Most Recent Blogs

eSentire, Inc., the Authority in Managed Detection and Response (MDR), protects the critical data and applications of 2000+ organizations in 80+ countries, across 35 industries from known and unknown cyber threats by providing Exposure Management, Managed Detection and Response and Incident Response services designed to build an organization’s cyber resilience & prevent business disruption. Founded in 2001, eSentire protects the world’s most targeted organizations with 65% of its global base recognized as critical infrastructure, vital to economic health and stability. By combining open XDR platform technology, 24/7 threat hunting, and proven security operations leadership, eSentire's award-winning MDR services and team of experts help organizations anticipate, withstand and recover from cyberattacks. For more information, visit: www.esentire.com and follow @eSentire.