In this article, we will explore the limitations of different awareness solutions. The goal is not to criticize these types of solutions, but to present the missing parts so that you can either fill them in or opt for a more comprehensive solution. It is of course preferable to have an awareness solution in place rather than nothing at all.
Many companies consider phishing to not be a danger to them. This observation is one of the main problems in the market today, as employees are becoming more vulnerable, making the hacker profession rather attractive.
So, we will focus on three types of solutions: e-learning, phishing tests, and custom-made solutions.
Why e-learning & LMS solutions are not enough?
Lack of engagement
E-learning or LMS solutions are very popular in businesses. It is an online learning through 45-minute modules, often with a certificate to prove that the training has been followed.
The first problem with this format is the lack of engagement. From a return on investment perspective, you will spend time chasing employees to get them engaged and follow the program. It is possible to share answers to different multiple-choice questions and therefore bypass the learning process.
Some employees see these programs as a constraint and a waste of time. Over time, some solutions are not even used anymore, resulting in a loss of money for the company. In other cases, the security, HR, or communication departments have to send reminder emails, time that could be dedicated to other tasks.
Difficult to measure ROI
The second problem is the difficult measurement of return on investment. Theory differs from practice, just because you received a perfect score on a multiple-choice question does not mean that you will easily detect a phishing email.
If you ask employees if they would open an attachment from an unknown sender, everyone will answer no. However, among individuals who have been sensitized and have validated e-learning modules, we collect between 10 and 20% of credentials in our tests.
It is important not to overlook the social engineering present in phishing emails: these manipulation techniques, for example, play on the desire to please or conform.
By using these psychological levers, the individual's response pattern is completely altered, which is not the case with theoretical teaching.
During e-learning, the employee expects to be trapped, they are aware that there is a right and wrong answer. When they empty their inbox, they are not in the same state of mind.
Therefore, this type of solution does not allow the measurement of return on investment and puts the person in an unrealistic situation.
Phishing tests, generally not optimized
Infrequent tests
Even if some phishing test solutions offer a simple and quick interface, time is needed to analyze the campaign results or to find inspiration in creating custom phishing scenarios.
The fear of negative acceptance from colleagues if too many tests are conducted is another barrier. The tests should not be seen as constraints but as real learning experiences.
Ebbinghaus' forgetting curve perfectly illustrates the need for reminders to fight against forgetting.
Lack of pedagogy
With quality domain names and a personalized email, it is very easy to trick your employees.
However, it is important not to lose sight of the learning objective. The goal is not to trick your colleagues, but to teach them what their mistakes are and how not to repeat them.
Many companies decide to conduct only a few campaigns per year and therefore, to make their simulations profitable, they test their entire staff directly.
A hacker will never proceed in this way, they will prefer to attack a few mailboxes and keep the others for potential future attacks.
Furthermore, the HR department is not tested in the same way as the sales department. Different contexts should be used based on the targeted profiles. By testing the entire company, your campaign will neither be relevant nor realistic, and the obtained results will not be reliable.
No training for reporting
Many solutions do not allow for training in reporting. Our mission at Arsen is to transform employees from potential vulnerability into true allies in the fight against phishing.
By not training employees in reporting, you limit the positive effects of training.
An employee "A" who understands that they have received a phishing email but does not report it prevents the company's proxy from blocking the domain or any other security measures that could have been triggered.
Meanwhile, a less attentive employee "B" may fall for the phishing attempt and disclose their credentials.
We can consider that employee "A" has been passive in the fight against phishing, whereas we want to train active individuals in this defense.
Therefore, it is necessary for phishing test solutions to allow for reporting in order to optimize training.
Custom-made solutions, often costly
The advantage of these solutions is that they are generally tailored to the company's context and its employees. They allow for strong engagement with a high relevance in the type of content presented.
Underestimated costs
However, the deployed resources are generally underestimated.
The mobilization of human resources or the cost of external resources - such as a cybersecurity specialist - generally represent high costs.
Still an immeasurable ROI
If these custom-made solutions do not allow for phishing simulations, it is difficult to evaluate the return on investment. It is interesting to assess whether employees who were originally vulnerable to phishing have become true actors in the defense of the company.
Conclusion
Despite the significant number of available solutions, few actually solve the phishing problem.
In light of the points mentioned, you can adjust the use of your solution, for example, by incorporating phishing tests.
You can also contact us to discuss your awareness solution.
We provide a solution that properly and effectively trains your employees.
Our goal is to improve your resistance to phishing and transform your workforce into a true human firewall.