[By Matt Lindley, COO and CISO at NINJIO]
Although the cyberthreat landscape is constantly shifting, several major cybercriminal tactics have stood the test of time. Phishing is one of them. Despite being among the best-known cyberthreats, the damage inflicted by phishing attacks keeps rising. This is because phishing exploits ingrained psychological vulnerabilities that are difficult for victims to overcome, and it has proven uniquely capable of adapting over time.
Another reason for the devastating effectiveness of phishing is the fact that employees have different susceptibilities that can be leveraged by cybercriminals in many ways. This means there’s no one-size-fits-all solution to phishing – companies must be capable of offering personalized phish training that accounts for different personality traits, levels of knowledge, and learning styles. This is particularly important as cybercriminals increasingly use AI to launch highly targeted phishing attacks at scale.
By personalizing cybersecurity awareness training, companies ensure that educational content is highly relevant to each individual, which improves engagement and information retention. Personalized phish training also generates invaluable data about security gaps, holds employees and security leaders accountable, and helps companies keep pace with new threats. These are just a few of the reasons why CISOs and their companies will prioritize personalized phish training in 2024.
Meeting the individual needs of learners
Relevance is a core component of CSAT – training must cover real-world cyberattacks and provide actionable information to employees. At a time when human beings are involved in nearly three-quarters of successful breaches, it’s vital to capture and hold employees’ attention with hyper-relevant training content. There’s one especially high-resolution form of relevance that CISOs and other security leaders must focus on: individual employee traits.
Employees should never be treated as if they’re interchangeable with one another. They have different skills, personalities, and learning styles, which means phish training must be designed to maximize the value of the educational experience on the basis of these variables. When phishing training is capable of identifying employees’ strengths and weaknesses, engaging them on a personal level, and tracking individual progress, the collective security of the entire organization will improve dramatically.
Employees have many psychological vulnerabilities – like fear, obedience, greed, opportunity, sociableness, urgency, and curiosity – and these vulnerabilities vary from person to person. If one employee has a propensity to click on malicious content sent by an authority figure (obedience and fear) while another is more inclined to fall for fake investment schemes (greed and opportunity), training content should be customized based on this information. Effective phish training should build adaptive behavioral profiles which account for different psychological risk factors, levels of knowledge and performance, and attack vectors.
When companies create training programs around individual behavioral profiles, they won’t just address specific vulnerabilities – they will also keep employees engaged and improve retention of the most critical concepts. By personalizing phish training, security leaders will provide the information that is most relevant to individual employees while preserving the flexibility to change course as circumstances demand.
Personalized training and the evolution of phishing
The average cost of a phishing breach hit $4.76 million in 2023, and phishing is the most common initial attack vector (along with stolen or compromised credentials, which are often obtained through phishing). This means phishing is by far the tactic of choice for cybercriminals when they want to gain access to secure accounts and networks – a long-term trend that’s likely to pick up momentum.
One reason phishing attacks will become increasingly common and destructive is the growing role of AI in these attacks. Generative AI tools like large language models (LLMs) and deepfakes give cybercriminals the ability to launch highly sophisticated and targeted phishing attacks on a vast scale. The key to guarding against these attacks is training employees to identify malicious content that is becoming far more difficult to distinguish from legitimate content. This process begins with personalized phish training that teaches employees how cybercriminals can hack their minds and use their psychological weaknesses against them.
Unlike traditional phishing schemes which rely on a high volume of messages to hook a handful of victims, AI allows hackers to collect large quantities of data on potential targets and create focused messages that exploit their unique psychological weaknesses. AI also drastically improves the quality of the messages themselves, fixing the spelling errors, strange syntax, and other mistakes that were once red flags (GPT-4 supports 26 languages, which gives many more hackers the ability to launch phishing attacks internationally).
Phishing has been among the most significant cyberthreats for years, but companies still aren’t able to stop employees from clicking on dangerous content. With the advent of AI-enabled phishing, this problem is about to get a whole lot worse – which is yet another reason why personalized phish training is a must-have.
Simulated phishing generates crucial data and engagement
According to Gartner, global end-user spending on security and risk management is projected to reach $215 billion this year – up 14.3 percent from 2023. This means CISOs must be capable of making a strong case to their boards for the cost-effectiveness of any cybersecurity initiative, and personalized phish training meets this standard in several ways.
An essential element of personalized phish training is the consistent evaluation of employees to pinpoint their susceptibilities, reinforce what they’re learning, and assess the organization’s overall security posture. Simulated phishing confronts employees with tests that mirror the latest social engineering tactics, which gives companies an accurate idea of how they would behave in real-world scenarios. This allows CISOs and other security leaders to identify the most at-risk employees, as well as the exact psychological and behavioral traits that make them vulnerable to attack. The company can then use this data to measure performance over time, engage with employees about their progress or areas for improvement, and close security gaps.
There are three central pillars of successful awareness training: relevance, engagement, and accountability. Because personalized phish content is tailored to each employee’s behavioral profile and learning style, it’s far more relevant than any one-size-fits-all solution and it provides much more actionable data. Individual attention will also keep employees engaged – especially at a time when large-scale skills disruption is imminent and employees are demanding professional development opportunities. Cybersecurity awareness is one of the most important skills employees can cultivate, which is why CISOs should present personalized phish training as a chance to prepare for the workplace and economy of the future.
Simulated phishing helps CISOs demonstrate the value of personalized training programs in a rigorous and consistent way. By aggregating individual employee performance, security leaders will have a clear view of the company’s overall level of security. This allows them to proactively improve their cybersecurity posture by addressing vulnerabilities as they arise, implementing constructive and engaging educational interventions, and empowering each employee to defend the company from phishing attacks.