WHITE PAPER

Security Awareness Training
Buyer’s Guide
Sharpening your organization’s
human defenses against phishing threats.

www.phishlabs.com

Contents 1 The Need for Security Awareness Training 2 Critical Elements of a Security Awareness Training Program 4 Solution Options 6 Defining Success .

1. that’s 2880 CLICKS ON PHISHING EMAILS EACH YEAR. Employees are attackers’ top targets. Firewalls. to measure success of an SAT ■■How program. RECEIVES ROUGHLY 276. But a security awareness training (SAT) program can convert employees from a vulnerability to an asset by greatly increasing their awareness of threats. or worse. To serve that role effectively.phishlabs. They’ll never be 100% effective because reaching that point would block too many legitimate communications. over 14. EIGHT OPPORTUNITIES FOR A DATA BREACH EVERY. it.5%*. www. the best filters still let 2.Security Awareness Training Buyer’s Guide The Need for Security Awareness Training To paraphrase an old saying. All Rights Reserved.000 employees. Considering that an average 5. typically clicking on 20%* of phish. on average. employees must be aware of and highly sensitive to threats and ever vigilant in defending against them. 99%* of all phish. are phish.com    1 . Or.200 phishing emails successfully delivered to the company every month. or 41 per day.5% are phish = 41 PHISH EACH DAY That’s 1. increasing their vigilance and conditioning them to report suspicious emails to the appropriate security teams.000-person company receives about 276. typically clicking on 20% of phish.765 pieces of spam through daily. Yet the best technologies block. ■■What to look for in an SAT program.400 phishing emails landing in employee boxes each year. key areas every SAT program should ■■The address.. Employees are attackers’ top targets. people are often that point. If an organization has 5.765 spam emails still bypass advanced email protection tools each day. ®PhishLabs.000.500 SPAM EMAILS A DAY ADVANCED EMAIL PROTECTION TOOLS BLOCK 99% OF SPAM EMAILS* This means that 2.. That's 240 infected computers each month. perhaps. who can then investigate and roll out defenses against new attacks. And they’re usually considered the top security risk. When it comes to system and data security. And they’re usually considered the top security risk. People are the last line of defense to prevent unblocked attacks from clearing a path to your systems and data. anti-spam appliances and other technical countermeasures are essential components of any security program. One in five users click on links in phishing emails* For a company of 5. a wall is only as strong as its weakest point. SINGLE DAY. 1.500* spam emails a day. After reading this buyer’s guide you will understand: pros and cons of different ■■The approaches to SAT. Of that.

An assessment of the entire organization. for the overall program and allows for controlled. To keep employees engaged. It allows your program to be relevant to your organization. Further. ®PhishLabs. provides a true snapshot of your organization’s susceptibility to phishing attacks. Plan: A clearly written ■■Training training plan provides the framework Measuring progress is arguably the most crucial part of any security awareness program. along with management updates at specific intervals. rather than a subset of employees. are essential for success. and Social Engineering ■■Phishing Simulations: A library of the latest attack simulations based on real-world threat activity against your organization or its industry is essential. when users fail a simulated phishing attack. ■■Training: training should be focused on teachable moments—particularly. departments or other organizational units to allow for the quick identification of problem areas and micro-trends. track the progress of specific business units. A baseline assessment ■■Assessments: provides a high-level evaluation of your organization’s overall security awareness and serves as a basis to measure the success of the training program.com    2 . infographics and other content. but it must be continuously updated to reflect emerging threats.Security Awareness Training Buyer’s Guide Critical Elements of a Security Awareness Training Program Various components are essential to the success of a security awareness training program. Progress Measurement: ■■Continuous Measuring progress is arguably the most crucial part of any security awareness program. knowledge of industry-specific threats and company-specific factors. Not all attacks are the same. Also measure performance based on attack types and levels of sophistication. All Rights Reserved. measured adjustments as the need arises. including the following: Team: Clearly defined roles and ■■The responsibilities. www. Measuring performance against simulated attacks that don’t reflect reality won’t show an accurate picture of performance improvement. To ensure detailed insight into the strengths and weaknesses of your organization’s overall security.phishlabs. To ensure effectiveness. the training should fit within normal attention spans and provide a selection of engaging short videos. The plan should be customized for your organization using a combination of the latest threat trends. the team must have the authority (and backbone) to conduct ongoing phishing simulation testing that will not always be well received by employees.

Keeping an SAT program up-to-date is crucial for its success. ®PhishLabs. to Administer: The amount of ■■Easy administration involved will depend on the size and complexity of your organization as well your approach to implementing and managing the program. As employees are tested. a flexible program needs to adapt to continue to protect the organization. the most important resources are security teams that deal with specific attacks targeting your organization daily.phishlabs. specific groups or individuals may require special attention. The administrative workload can significantly impact the success of the program and should be a top consideration when choosing a solution. www. as new threat vectors arise. Further. As new threat vectors arise. Thus. However. Current: Threats ■■Continuously continuously change and evolve. Adjusting an SAT program ■■Flexible: based on simulation testing results and external threat factors allows it to maintain relevancy and effectiveness.com    3 .Security Awareness Training Buyer’s Guide A security awareness ■■Languages: training program must condition the entire organization. in multilingual organizations the program should provide attack simulations and training in all employees’ languages. There are numerous resources that can help you to stay abreast of the latest attacks. All Rights Reserved. a flexible program needs to adapt to continue to protect the organization. including media outlets and industry associations.

In addition. Use an external vendor ■■Fully to provide the SAT tool(s) and fully manage the training and testing program. real-world ■■Lacks threats emerging “in the wild” to maintain relevancy and ■■Difficult effectiveness significant time and effort from ■■Requires dedicated internal resources is not one of the organization’s core ■■SAT competencies { Ease of implementation { Ease of implementation { Ease of implementation Ease of management Flexibility of solution Ease of management Flexibility of solution Ease of management Flexibility of solution www. PROS: to shape the program to be very ■■Ability specific to the organization control of every aspect of the ■■Total program CONS: insight into real-time. monitor and Internal Self-Serve Fully Managed ®PhishLabs. but you have to ask. SAT solutions come in three flavors: Create. but use internal personnel to manage and maintain the solution. real-world attack simulations—is often much higher than the cost of a self-serve or fully managed option.Security Awareness Training Buyer’s Guide Solution Options Broadly speaking. “Why would you want to?” Supporting an SAT program falls outside of the core mission of most organizations. manage. it yourself using only internal resources (manpower & technology). Purchase SAT tool(s) from ■■Self-Serve. but also developing the necessary tools and creating. the budget required for dedicated staff to plan. create.com    4 . Internal Supporting security awareness training using only internal resources is possible. All Rights Reserved. execute and manage ■■Internal. support the program—including not just providing training. a vendor. Managed. running and measuring relevant. The following discussion examines each of these options.phishlabs.

create and launch phishing simulation campaigns. PROS: provide a robust set of tools to ■■Can launch and manage a program a selection of simulations and ■■Provides training. analytics and other relevant information customized for your organization are provided at regular intervals to allow for needed adjustments and to ensure the program is optimized. The tool(s) provide the majority of the capabilities needed to conduct assessments.com    5 . This can improve the quality of the overall program compared to a fully internal approach.phishlabs. but it still requires significant internal resources to manage the program. assign training. eventually falling below the minimum required level Self-Serve In a self-serve model. software or other service tools beyond those supplied by the vendor. turnkey solution ■■Provides that can be deployed quickly and simulations will likely still be ■■Training ■■Delivers focused subject matter expertise somewhat generic and not fully tailored to the organization’s needs CONS: won’t make full use of real-time ■■Likely ■■Dependence on an external team insights into threats emerging “in the wild” matter expertise must be kept ■■Subject up-to-date. but superior outcomes can be achieved if the vendor uses its industry-specific and operational security experience to tailor the solution to your organization’s exact needs. ■■Over eventually falling below the minimum required level ®PhishLabs. PROS: a comprehensive security ■■Enables awareness training program using the industry’s latest best practices experience and expertise ■■Leverages gained serving a variety of companies advantage of the vendor’s broad. monitor results and more. despite the topics not being core to the organization’s mission time. commitment often wanes. www.Security Awareness Training Buyer’s Guide cost of ownership” of a ■■“Total comprehensive program can be very high ■■ Over time. The scope of the solution will vary depending on the vendor. including emerging threat vectors on a wealth of pre-existing ■■Draws operational security experience a cost-effective. All Rights Reserved. the organization purchases tool or tools for the implementation and on-going management of the program. ■■Takes real-time experience of ongoing attacks across your industry. commitment often wanes. allowing you to customize (somewhat) the program to specific needs or security weaknesses CONS: requires significant time and effort ■■Still from internal resources Fully Managed A fully managed service requires little to no “hands on” activity by your organization and typically requires no onsite hardware. Service reports.

✔✔ Provides engaging training that holds interest while explaining and reinforcing the necessary defenses. ✔✔ Facilitates realistic phishing attack simulations. SAT CHECKLIST When selecting an SAT program choose one that: ✔✔ Doesn’t overtax your internal resources. www. ✔✔ Draws on real-time. ✔✔ Ensures continuing commitment to security and the SAT program. ✔✔ Filters out reports of simulated test phish to reduce the security team workload. ✔✔ Provides easy-to-use reporting with an adequate level of granularity. ✔✔ Is built and delivered by a team that has comprehensive training and operational security experience. you should consider security awareness training to be successful only if all of the following are true: rates on simulated phish decline ■■Click significantly from the baseline measurement. at the most basic level. ✔✔ Focuses on delivering training during teachable moments. allowing for quick adjustments to simulations and training based on the real-world threats targeting the organization. ✔✔ Conditions employees to report suspicious emails. Some success measurements may be subjective. security awareness training program ■■Your is fully integrated into your overall ■■ security program. but. Metrics are closely monitored and communicated and adjustments are made as needed. broad-based. ✔✔ Allows easy. are suspicious of all emails ■■Employees arriving in their inbox.Security Awareness Training Buyer’s Guide Defining Success A successful security awareness training program should enhance overall security awareness and improve employee vigilance in a measurable way.com    6 . it’s simpler to explain what a successful program looks like in terms of overarching common characteristics. All Rights Reserved. ✔✔ Is or can be tailored to reflect specific threats faced in your industry and by the job functions in your organization. operational insight into current and emerging threats. reporting ■■Employees suspicious emails/activity to the appropriate security personnel. ROI of the program can be clearly ■■The articulated to management.phishlabs. ■■Vigilance remains high over time. ✔✔ Can be updated to incorporate new threats. Since success may mean different things to different organizations. are vigilant. At a minimum. fast reporting of new phish directly from email clients. ®PhishLabs. a successful security awareness training program should enhance overall security awareness and improve employee vigilance in a measurable way.

phishlabs. 2015-2019” (2015) https://www. Web.1 (2010): 7-9.” International Journal of Computing Applications IJCA 12.symantec.com/us/resources/data-sheets/ds-email-protection. and Suganya.jsp https://usa. Inc. All Rights Reserved.. ®PhishLabs. Karpagavalli..pdf Christina. “A Study on Email Spam Filtering Techniques. S.com/security_response/publications/monthlythreatreport.com    7 .com/internet-security-center/threats/spam-statistics-report-q12014#VstRv5wrKUk http://www.Security Awareness Training Buyer’s Guide Sources The Radicati Group. “Email Statistics Report.kaspersky. G. V. www.mcafee.

prevent data breaches. Leading organizations partner with PhishLabs to more effectively disrupt targeted cyberattacks. PhishLabs and the PhishLabs logo are trademarks or registered trademarks of Ecrime Management Strategies. Inc. The company is trusted by top organizations worldwide. and stop targeted cyberattacks before they impact organizations. Additionally. in the United States and in other countries. Inc. the company provides robust threat intelligence that strengthens existing cyber defenses and optimizes threat prevention. www.com | +1.877.227.phishlabs.S. All rights reserved.PhishLabs is the leading provider of 24/7 cybersecurity services that protect against threats that exploit people.0790 ©2016 Copyright Ecrime Management Strategies. . financial institutions. All other trademarks referenced are the property of their respective owners. PhishLabs combines proprietary technology. including 4 of the 5 largest U. analyze.com | info@phishlabs. intelligence. and reduce online fraud. and human expertise to rapidly detect.