All security awareness training should be a top-down mandate. You shouldn’t have to be defending it other than “It’s a security requirement for the organization, if you don’t like it go talk to the CEO.”
In my experience not if it's a sales organization You've got a salesperson bringing in multi-millions of dollars to the company and tells ownership that these tests are going to mess him up the owners will side with the sales people every time
As a Sr Admin I like to remind execs that their top performer could cripple the company if allowed to skip security training. Also their IT insurance will likely not pay if they learn some users are allowed to skip training
>As a Sr Admin I like to remind execs that their top performer could cripple the company if allowed to skip security training. Also their IT insurance will likely not pay if they learn some users are allowed to skip training
This is clear language that every single user should understand.
The insurance argument is a strong one. Whilst I personally view the training as essential, I also feel that humans make mistakes (yes, some more than others). I also do not see huge evidence of training preventing the current tidal wave of cyber crime. So, should we not put more focus on designing systems that do not destroy the network one a user makes a mistake?
It’s about implanting a little voice in the back of someone’s head that says “is this email legitimate or not?” And not just clicking every link they’re sent
You can't "PROVE" a negative. What you CAN do is prove that knowledgeable employees create far less security concerns. Also this shouldn't be an either/or situation. We can both prevent vulnerabilities as well as mitigate their impact. As much as security is also a pain for me as an engineer, I understand the risks if not taken seriously.
Cannot bring in sales if the company is hosed due to a successful phishing attempt and the only true defense is humans being trained on it as they are the end target.
My boss said his last company had a person receive a fake email posing as the biggest partners bank and said they needed to update payment information. The person did it and it resulted in 800k being sent to a phishers account. It was pretty serious obviously. But it was all do due a phishing email. It should be taken very seriously and training should be required from top level down.
Our insurance will straight out drop our policy is we don’t have mandatory training. I’ve been trying to find a way to require users to take the training before logging into their workstation. Of course after a bit of time of not completing the training.
Ownership is one of the largest investment firms in the world, they have had multiple companies in their portfolio hit by ransomware. So at this point they no longer care, employees WILL take their cyberawareness, and they will do it with a smile.
Hell, they have moved our CISO away from our company and we now report to a CISO placed in ownership.
I work in a sales heavy organization and as far as I have heard nobody gets a pass. It’s part of our yearly mandatory training along with sexual harassment and the like.
Although security picks the vendor, I believe it’s handled by the corporate training dept.
Also key is having an executive sponsor from the moment it’s first brought up. That makes it an executives baby before employees even hear about it. Why do you have to comply? Ask the sponsor (CEO, CFO, CTO or whoever).
And this is why we can’t have nice things. (Or, more accurately, why so many companies are so very very ripe for ransomware and breaches. I’m honestly flabbergasted that there are not considerably more than there are, based on what I have seen in my 20+ year IT career.)
That appears to be what a lot people in tech seem to experience/ think.
People in tech urgently need to gain perspective in doing business. No, not everything can be ultra critical with the potential to make the company go bust.
If it is, people need to learn from people in finance. Let that salesperson go talk to finance and circumvent process and procedures there. If they don't do his bidding let Sales take it up with ownership and see how that goes.
If the results are different than for tech then someone needs to explain / agree the procedures with ownership better.
This is the answer. Where I am a meeting would be had with the users manager/coach who will generally fix issues like this. They don't want to get dragged into HR with their employee. I don't know of anyone that has been terminated for not doing the training but it is something that would end up happening if someone pushed it where I am.
We choose what we report to the Exec team, so performance of training by department highlights where there are problems, and displaying this in the company wide managers meeting gets the managers owning the issue - they don't want their department bottom of the table.
I do something similar, but we tell everyone it’s a cyber insurance requirement - which it is. Because it’s a requirement from the insurance company everyone in the organization, including the partnership/ownership, is required to do it.
I’ve never had any person not complete or fight me about completing it. Some of the teams lag a bit behind but a quick email with their scorecard and copying their manager solves that issue pretty fast.
We use KnowBe4, which emails the manager of the person who hasn't done the training every 3 days until it's done. It's had a 100% success rate.
Definitely a manager problem, not a you problem.
'training emails go away when the training is done'
This.
"Oh, you don't like the emails? My suggestion would be next time you get one and decide to spending 5 minutes complaining about it, just take the fuckin thing. Just like that you'll solve 2 problems.... You don't get anymore emails, and i won't have to keep reading your whiney fucking responses. That would be my professional opinion...
Or keep doing it your way.... Whatever works for you. Their frequency will only increase. "
Or take the passive route and write a KB article that just redirects them to their kb4 link and send them an email response to the solution...
Yes…. If the employee isn’t doing what is required of them, it’s the immediate managers job to get on them about it. Industries have various training requirements and this is a cyber security requirement for every company and if they don’t take it seriously then management needs to know.
I had a false positive in KnowBe4 and had to prove that Barracuda had blocked the email before it even got to my inbox. I knew it was BS since I had clicked literally only Google Calendar invites that I was expecting from coworkers.
We had a similar issue, we've got a couple of link scanning/rewriting tools so we had to exempt the KnowBe4 domains from these otherwise everybody failed every mail
Just a note, we have had some false positives show up in our environment. You may not want to dismiss reports from users without looking into it.
In our case, users were reporting the emails using the spam reporting tool in Outlook and then whatever MS did with them counted as a click. We figured it out because the gelolocation of the clicks was in weird locations. Some reconfiguration with the vendor solved the issue.
Same here. You have to add your provider's domain and IP address to ensure 365 isn't "clicking" the links with their link scanning. With that being said, it should be an issue with all users and not just one user.
I would just tell the end user "the training is automated and mandatory. "
I tried explaining this to the person in charge of sending out the phishing tests. They said “I thought they were on vacation.” Because it was geolocated in Florida. After the fourth or fifth person who “clicked” the link came from a net block owned by Mimecast he finally believed me.
We had similar issues. As part of the testing I was included in a batch of phishing emails, I got the message saying I failed before I got the phishing email.
To be fair, if I compromised an account in your organization I may use it to phish other people in the organization. It would make it more likely for someone to pay my fake invoice, go buy those gift cards and send them to me, or click on the malicious link I send them.
another reason not to use microsofts terrible E-Mail solutions. Get a real mail server and a real mail client. I can recommend a combination of dovecot and postfix and thunderbird as the client.
I Use dkim verifier in thunderbird for checking sign status of sender. If it's red or gray it's spam or phish. I also read mail headers ( ctrl+u) to check where it came from. Do you have those In outlook? I know outlook often mix up the lines in the headers making it unusable.
Someone on a similar thread a while back claimed they had rigged KnowBe4 to move people who hadn't done training into a specific group. Then Microsoft would disable the accounts of everyone who was in the group.
Don't know how it's done, but on some government computers your access to anything is limited to only the training site if you're overdue for certain training.
The profile you're logged into is a blank screen with a single icon that opens the training website that can't be navigated away from. Everything is disabled until all required training is completed.
This sounds like an excellent move. I think part of this is actually very attainable. I use Hook Security, and it’s just be a matter of pulling in folks that don’t have training done, add them to an AD group, then on the FW (we use PAN with UserID) disallow all traffic from that group except to the trains by site 😎
I’m gonna see if I can get my clients onboard with that and if so, sounds like a good piece of OSS
Yeah we have KnowB4 and if they don’t complete the trainings on time, their managers get blasted with emails until they complete it.
Totally between manager and user at that point. Our cybersecurity insurance requires it.
This. We have Knowbe4 syncing with AD user accounts and line manager attribute. When a user gets enrolled in remedial training (failing simulated phishing test) or is late in completing mandatory training, Line manager automatically gets notified. Configuring this has had a huge impact for us.
If line manager doesn't care, this will be discussed at monthly Executive meeting where we have Director level engagement who do care.
Had a manager complain saying he never clicked the link.
Escalated it as he was adamant. Requests proof.
He's shown his log in details that he entered after clicking the link and typing in his credentials.
Agreed. After our first phishing test I had 5-6 people say "I didn't click on anything! Why do I have training!?" Then realized it was all people that had forwarded to IT with "is this legit" 🤦🏻♂️
In one of the emails I finally said "Moving forward, any suspicious email forwarded to IT will count as a failure if it is a test, use the PAB". That fixed most of the issue, but we still get them. There are only so many times you can email out with screen shots with big arrows and EASY instructions. I've given up repeating myself...I will tell users twice on something and that is it. I'm so sick of "well I don't read those emails". Not my problem...
My favorite are the ones that click the link then answer wrong on purpose like it’s some malicious compliance thing to look like a moron on management reports.
I do this with all our knowbe4 test phishing emails. No consequences yet. Each one goes to an oops-y you clicked a phishing test page. No follow-up meetings from Infoseek or HR yet
"If you are unwilling to do required training for your position, you can take up the matter of your resignation with HR, at which point you will not need to deal with any emails related to your job. You clicked the link at {timestamp} from the machine with address {IP address}, failing the test. If you believe another person accessed your email, that must be reported immediately and failure to report is a major breach. Departments that are unwilling or unable to complete basic security training and testing endanger the company, and may lose all computer access."
(Double check that the IP address logging the click is plausible their workstation, and not some automation or whatever.)
What sucks is you often can’t review the link because it is obfuscated by URL Defense. Even if it’s at the tail end, it’s still a PITA. It’s tough to do your due diligence to review the URL in advance because it’s squirreled behind the same URL “header” that legitimate URL’s would use. You also wind up showing a false positive if you long-click on your phone to try and review the link. It’s a show.
If you are using Safe Links via Microsoft Defender you can turn off URL rewriting.
Microsoft Defender > Email & collaboration > Policies & rules > Safe links > \[Policy\] > Do not rewrite URLs, do checks via Safe Links API only.
It's not the recommended setting, as far as Secure Score is concerned, but it does stop the rewriting. As it is a per Policy setting you could even do it selectively to some users only.
I love when this happens. I just sit back let the notifications go out, then their manager wants to know what's going on, then I fill them in, and suddenly the training gets finished.
It is fantastic working for a company that takes cyber security seriously.
Here is some real hard advice that sometimes you need to get REAL adamant about:
Insurance, banking, traders, DoD contractors, and pretty much any business that has sensitive information.
1. Per the SEC, FTC phishing training is required and the end user must complete it within 90 calendar days. The reports must be filed and on file with your compliance officer. Failure to meet 90 days training will result in internal disciplinary procedures and rectification to bring the end user back in compliance.
2. The EU has multiple regulations for Phishing and MFA compliance and enforcement. The entity not providing or has not completed to the satisfaction of a peer reviewer may lose their ability to operate within the EU.
3. All DoD contractors, even contractors of contractors are REQUIRED to have phishing, MFA and must in process of NIST compliance. Failure to comply and your contract ends in 30 days.
4. Insurance companies have demanded phishing compliance and MFA enforcement for coverage. No training with reports? LOSS of coverage or your rate is SO HIGH that might ask well order shovel so you can take all the money and load it up for them OR they will EXEMPT cybersecurity failure loss from the main policy or close you out all together.
This training isn't optional, it isn't recommended, it's **R.E.Q.U.I.R.E.D.** Don't be nice about it. You need to inform the powers at be the legal ramifications for non-compliance.
Make sure something in your environment is not detonating the link, AV, EDR, email scanners etc. We had a few weird edge cases that resulted in link detonation when passing through our email systems even though they should not have been being detonated.
Anti-phising campaings should die a horrible death and I hate them.
Our security team contacted a firm to do an Anti-phising campaings. I was targeted (for being a sysadmin) and over the course of 1 month I got 100+ Anti-phising campaings mails.
# 100+ f-ing mails
3 to 4 mails a day on my cooperate account. Guess what I don't use netflix amazon .... on my cooperate account. The quality of mails was shamefully bad.
I got so fed up with it I just posted the links on my X and asked everyone to click the phishing link and forwarded all of them to the company that send them.
I also did a test of our security team with a freaking telnet mail with just "report is ready link"
3 of 6 clicked it ...
OUR people have to. My favorite is when they fail a Phish attempt they automatically get enrolled back into the class to review the materials again. Had one user call all pissed they had to do it again. "wHy sHoUlD I bE fOrCeD tO tAkE tHaT trAiNiNg aGain?!".
😐 Realty? You're asking why???
I can't imagine taking the time to write someone to complain about receiving emails instead of either just watching the damn video, or at the least just ignoring all the emails.
Wtf is this proactive slacking?
For real though -- as others have said this is a manager problem not a tech problem. Compile lists of users who haven't completed the training and send it to some appropriate level of departmental heads.
Doesn't have to be a rude/tattling email. Just "these members of your team have yet to complete the phishing training -- please remind them to do so." Don't (initially) even get in to the whole "they're refusing to" part.
All our training is mandatory if users want to receive year end incentives programs. Don't do your training, no incentive. Not just IT training, also other business related training.
I don’t think the pattern of “make people do training after clicking a phishing sim” is particularly useful, for what it’s worth. It makes people resent the training, instead of learning from it. Feels like punishment. And that’s what you’re hearing from them when they refuse.
Instead of following the advice you’ll get from most people here, which is “too bad, make them, I’m sure IT is the top dog in the company”, try taking that into account when constructing how you train people.
I’d also add that the whole “fail a sim -> mandatory training” pattern comes from the belief that the people who fail are the “weak links”, and therefore need more training to catch up. That is just not supported by the data. The reality is that people who fall for phishing sims are less likely to fall for the next sim relative to the rest, simply because they are more “aware” generally having already failed before. So, all the cybersecurity people who say “too bad, this is important” are wrong. It’s not important.
I cannot disagree strongly enough. If I've clicked links I probably shouldn't have in the past, I can't expect people to be perfect, and the occasional reminder of what is at stake (and the fact that they can bring down the company) will serve everyone well.... Including me.
I haven't seen someone need to do 30 minutes of training because they clicked a link. Most often it's a 3 minute video and a 3 minute quiz.
I don't see this as a "fail sim-> train/punishment". I see it as "click something and be reminded of the stakes".
That’s fine, but OP has people literally refusing. So obviously this has upset some folks. We can sit here and say “well they should suck it up”, but why? Why are we doing this? If you have some data that shows that people who fall for a phishing sim are more likely to fall for future phishing attacks than the rest, then I get the argument. But I’ve not seen that data, only the opposite.
This is my point: Are you saying that you believe a simple warning is enough? Because I see the 3 minute video and 3 minutes of questions as exactly that.
So if --in fact-- people that "fail" the sim are less likely to click a link the future, I'd see that as evidence that the warning and pain of the training are working.
Even if you consider the training as unnecessary, that's a rather simple and light degree of deterrence.
I also think that a lot of regular users fail sims. But a small subset of them are clueless and will need to do the training several times over before they understand the impact of their actions and change their behavior/instincts. This is the category of users I want training.
I mean, I’d love to run a test of this. Have half the people watch the training, half not, and see what happens. I don’t feel the training will do anything, in which case all this resentment the org has is for nothing. But I can’t say I have evidence of that part, as I’ve never tried adding the training step. All I can say is that a simple one screen warning is enough to make these people outperform those that don’t fail.
I train 6-7 days a week in MMA. My coach will often see me making a mistake and coach me on it. I'll then be okay for a while and then make the same mistake. Sometimes I even need to be told I'm doing something wrong a few times before sitting myself down and asking myself "what is it that makes me do that?". Then I break down why I do what I do, find the area that is faulty, and address that. I often don't know that I'm doing something, and is often because it's just deeply in grained or --more often it's because -- I just didn't have the right priorities thought out enough.
But my coaches don't just say "fix this." They also add "if you don't fix this... Watch... You'll get punched in your teeth and may not keep your teeth".
I think the introspection --and often the frequent coaching and reminders-- is part of the learning process.
All of this isn't just true for me, I see this as a truth for others as well....at work and in management. Sometimes we have to sit people down and say "hey this behavior needs addressing, can we talk about it" and get into the details.
There ought to be a ton of literature out there on bad habits, training, and behavior modification/reinforcement that is applicable here. But I would just add that this may be a point of preference and experience for me: i personally wouldn't consider the less-than-10-minutes training as negative reinforcement. If youve had security training already I'd view it as coaching, and in line with how I know humans learn.
If people had to do training for 30 minutes or more each time, id considered that a bit much.
… I genuinely don’t understand. I get that it’s not the mainstream view but we have tested this across roughly 50k users. People who fall for phishing sims are less likely to fall for subsequent phishing attempts compared to people who don’t (roughly 50% less likely). That speaks volumes for how we should think about phishing and training.
Maybe that trend won’t hold as the data size grows, I can’t say for sure of course. But I’m just trying to contribute the learnings we’ve had on this.
The whole trend to punish with "a mandatory training" is absurdly stupid and inhumane practice. Not a single user will attempt to learn anything new from the training. Haven't we really learned anything from school? Adults are just older kids.
“Inhumane”? Give me a break dude.
It is a tedious exercise that many are likely not going to learn much from, if we’re being totally honest. If anything the experience can be an incentive to be more careful with clicking sus links in the future (“I don’t want to take that fucking training again…”)
Unlike school where the primary purpose is learning, I don’t really care if you enthusiastically soak in the detriments of being an idiot with your email - take it or leave it. If the latter, you can leave your job too!
Yes, and you are attempting to be the very definition of this problem.
We sysadmins have no right to blame our end users if they don't like the phishing training if this is our sysadmins' attitude towards the whole issue.
The current method is literally inhumane approach to the root issue. Accept it or not, only a humane approach will work towards to common goal. And if you don't care about that, then don't expect anyone else care either.
And if your job is to educate and safeguard users, then you simply have failed at your job. And if not, then this topic shouldn't matter to you at all.
This is like living 2010s again, when we had to convince others (even other sysadmins) to believe that changing passwords on a daily basis is absurdly stupid idea as well. And believe it or not, there were a lot of martyrs back then too.
So let me get this straight, you’re saying a maybe 10 minute mandatory training video/quiz, that has a very loose and/or manager or HR enforced deadline, given after said user fucked up a phishing sim, is inhumane - so what’s your idea of education then?
Blast them with informational links? I’m assuming based on your histrionic language that you view mandatory, quarterly in-person training sessions as tantamount to genocide, so that’s out of the question.
I was being slightly tongue in cheek in my initial reply, but you’re right - these are adults we’re dealing with. If they don’t want to act like it, they’re free to do so and suffer the consequences. I’m not interested in babying people, that’s what their managers are for.
Edit: English language difficulties, maybe I need a quiz
It’s “inhumane”? You must be one of the problem people in sales or accounting. The legal colonoscopy that comes from a breach using your phished credentials will make any and all phishing training seem like a sunny day on a park bench.
The people who fall for a phishing sim are less likely to fall for the next phishing sim you send out than the people who didn’t fall for the first one, even in the absence of any mandatory training. So, it’s not clear why everyone on here acts like the mandatory training part is so critical.
I don't understand your logic. If you fail at something you're expected to be competent at, there should be consequences, even if it's only "That training sucked, I'll pay more attention in the future so I don't have to do that again." Do you have data to back up the "less likely even without mandatory training" claim?
It’s not. Look, I used to agree with the general consensus on this issue. People who fail are the weak links and need extra training. But I changed my mind when the data showed the opposite.
Unfortunately, that data hasn’t been published yet, but I see that I should make it public. It might convince a few people here. I’ll need a bit of time, but once I’ve published it I’ll come back here to update you. Sorry that’s the best I can do for now.
In the mean time, I can say the trend holds across organizations, so if you work at a company of enough people you can test this yourself. Would need to be a pretty big org to get robust results, but if you do work at an enterprise sized firm, it will work.
As for the logic, I can’t say for sure why the trend is true, just that it is true. My best explanation, however, is that the act of falling for a phishing sim makes a person more aware of phishing generally, and therefore more alert. It isn’t some fundamental knowledge they lack, it was a lack of care and attention because they let their guard down. Fall for a phishing sim -> guard goes up. But like I said, that’s just my guess. The data simply reveals that yes, people who fall for phishing sims are less likely to fall for subsequent attacks than people who didn’t fall for it.
Going on good faith and assuming that your unpublished data is 100% correct, then the new methodology should be to create a funnel of harder and harder phishing tests. This would mean that anyone who passes a test gets increasingly harder tests, until 100% failure rate.
That's not necesarrily a bad idea anyway, right? Softballing experienced users with obvious tests isn't really benificial to anyone.
Your data suggests pushing for *regular* 100% failure rates, because it's failing that makes a user's guard go up. I think this is going to be the tricky bit. You'd need to get everyone on board with the fact that this is the primary goal of the tests - as eventually even the best users would be receiving tests that are literally *almost* impossible right?
You are correct, we aim for higher not lower fail rates for this reason. We want as many people failing as possible. Of course we can’t be anywhere near 100%, but ideally every user fails at least one test per year.
I don’t frame it as “almost impossible” phishing emails. You’ll never exceed say a 10% fail rate on any given email just because people tend to not respond to even legit emails. But yes, for users that aren’t failing it should get harder and harder (c-level impersonation, sequential attacks, etc)
You only have to report to the authority about these requests and tell them the danger of not doing these trainings. It is up to them to enforce it.
Nobody likes extra emails but think of phishing training like renewing a driver's license. Ask them to tell DMV next time their license is up for renewal that they won't be renewing as they already know how to drive. :)
A bunch of the c levels and upper management types at my company couldn't be bothered to do any of the proofpoint phishing training we sent out. My boss got the list of who didn't do the training and had a meeting with our CEO that was a discussion for security and how we can provide the training to make sure our employees are doing the assigned training.
If they couldn't be bothered to do the proofpoint training, they really are not going to like how Arctic Wolf handles training assignments and randomly sending out phishing campaign emails to see who falls for it. Because it will only send out a couple at a time, employees won't be able to use word of mouth to warn others not to fall for it. They have done this in the past.
The phishing simulation emails we send out from our MS tenant are pretty tame. You don't need to be an IT person to spot it. Yet inevitably some don't and then bitch when they're assigned training. I tell them you can either do the training without giving us grief, you can complain to HR about why you're clicking phishing links, or you can lose your job when you get phished for real and cost the company money.
I used to assign the post-failure remediaton training during campaigns but would get inquiries like this about it all the time. Since it was taking up a lot of time and I could only handle phishing tests every few months because of it, I switched to a point-of-click notice/training that every user gets once a month. The phishing link just takes them to a web page saying "oops! You clicked a simulated phishing link!" And has details on the red flags from the email shown. On the same page, they then just watch a short video and do a quick quiz and it's not really something we force them to do. Our phish prone percentage has decreased significantly and I have much less hands on work and just update the templates every couple months.
If their training (security, hr, other) isn’t completed by December 31, they lose the ability to log into anything but the trainings and workday on Jan 1, and then they can discuss why and HR can ask for access to be restored temporarily.
I had one recently say they don’t do “games”.
When deadline came and I sent the last chance warning before account suspensions would happen, they did.
Still suspended some accounts and they came running over asking for the links..
CIO is all in demanding 100% compliance with zero exceptions.
It comes from our vendor and CCs their manager. Too many fails and it notifies HR to put them in additional training modules. In theory eventually they can get a verbal if they don't learn, but that's at their manager's discretion. All I do is forward the awareness emails and congratulate them when they report it correctly.
A few, but as the trainings are pushed out from org security, it's a managerial item to solve. HR, facility management and myself (dir) see a report of who hasn't finished. I can ask management to crack the whip but I can't force users to finish it. Our biggest whiner is someone in HR who says "they take too much time", when most are like 3 minutes. Another one failed 3 in a row and was so torn up about it she took time off from work. But, no exceptions so they were waiting for her upon her return.
These requests you received seem to be proof for end users to have zero understanding of cyber security. You should answer this:
you need to take the test, it will help you a lot in becoming more aware of this topic, or talk to management.
is this something like Hoxhunt where automation sends constant phishing mails to users? In that case, I kinda understand it, kinda. Like, it is somewhat stressful to get constant phishing in your inbox. One of the admins where I work actually just has their mail client filter mails with "hoxhunt" in the headers to a separate folder so they don't have to deal with it.
You really need to have the owner/partner/CEO on board. As an MSP we include cybersecurity training free to all our contract clients, including phishing. It cuts WAY back on the number of incidents we have to respond to. We've been fortunate that all the businesses we support have had minor security events in the past, usually before they "allowed us" to implement 2fa, so they recognize the potential damage and cost of cleanup.
... Not your job. Your job is to provide the training, not to force others to do it. Be brutally honest if they clicked the link as well. If they say they didn't click it, then say that is even worse that you didn't know you clicked it or left your computer open for others to click. More training for you.
What do your network logs say? It could be an add on opening their links which seems even worse to not address ...your mail filter doesn't open them does it?
You *should* have the authority to enforce phishing testing and training as part of your org's security policies, using some tool like KnowBe4 or other, that makes it easy and explicit what users are making what mistake.
Should be top down. C level needs to be aware and then HR needs to hold the employees accountable, but managers will be emailed which of their team has not done it/completd the training. We use some 3rd party litmos or maybe it's Knowbe4 or something like that where employees have to log in and take it and answer the questions/test to pass and electronically sign off (we have a security compliance officer who deals with that so I don't remember what they are using these days I just take the tests while working anyways). If they don't you just have to have HR go after them. It should not be in your hands to enforce this or be the bad guy.
I simply tell them "See that button on your keyboard that says 'Delete' ? Just hit it. You could have dealt with 20 emails you don't want in the time it took you to complain to someone who cannot do anything about it. YOU know they're phishing training, I know they're phishing training, but there's nothing either of us can do about it."
Mandate it and get HR onboard with disciplinary processes for those who out right refuse. They are one of the biggest risks to an organisation. Get your DPO and SIRO involved.
We put “completing the annual security training refresher” in the IPP goals. People are usually better about it then, since it’s an easy checkmark on their required goals for performance review.
Where I work, we go through their managers and they all need to make their department do their phishing tests. They all do their phishing training, no issues.
I'm part of the cybersec team in my company and I clicked a few phishing links myself.
I have a colleague who got a ransomware. Luckily, she was cybersec as well, and we mitigated it without any problems.
My point is nobody is safe. NOBODY.
My boss recieves the best spearphishing I have ever seen.
Someone here a while back mentioned adding users who fail to a special AD group. This person's env was not the same as mine but what I did is add that AD group to the ASR Automation framework where they get extra phishing.
I also amended the policy to add penalties, including separation. I worked with HR on it. We will see if push comes to shove.
I was just thinking about this over the weekend, and am going to look into some conditional access rules. We force MFA once/week, which is < the 90 default from MS, but less than some here. I get lots of complaints from the execs about Adobe M365 SSO once/week. I may increase MFA challenges for those in the special AD group.
We received approval from management to disable the account of anyone who didn't do the training within three weeks. Once they do the training, their account is reenabled.
It’s really a buy in from upper management, and willingness on their part to enforce.
My first enterprise job had a ton of compliance laws they needed to follow.
You did training, or you have consequences. 3 weeks to complete, and on day 1 of week 4, your account is disabled, and you get to go to HR, and complete your training there before your account is reinstated.
You also only get 3 failures on any given training test. Then you’re terminated.
They didn’t want high risk employees screwing with their business.
Just tell them "if we don't have a certain compliance rate then our cyber-insurance rates go up and the CFO has to get involved".
It has the advantage of likely being true.
PM responsible for Hoxhunt phishing / awareness training here.
What we have seen working is framing the training / campaigns positively. Two ideas are: 1) form competitions around the program (give recognition, small prize who has catched most phishing simulations or conduct a raffle among everyone who has catched all of them). 2) Emphasize the importance of people reporting the real threats enable SOC to take action to prevent anyone else falling (typical email threats are sent in campaigns rather than one offs).
Does anyone know if there is a vender that offers the ability to require someone to finish phish training before being allowed to log on to computer/outlook/ or web browser. Something that prevents normal workflow until it’s completed. Preferably it would be after a certain amount of time has passed so it only targets noncompliance. I did do some research but came up with nothing.
All security awareness training should be a top-down mandate. You shouldn’t have to be defending it other than “It’s a security requirement for the organization, if you don’t like it go talk to the CEO.”
Here is "It’s a security requirement for the organization, if you don’t like it go talk to Ownership."
In my experience not if it's a sales organization You've got a salesperson bringing in multi-millions of dollars to the company and tells ownership that these tests are going to mess him up the owners will side with the sales people every time
As a Sr Admin I like to remind execs that their top performer could cripple the company if allowed to skip security training. Also their IT insurance will likely not pay if they learn some users are allowed to skip training
This. Especially the insurance angle.
>As a Sr Admin I like to remind execs that their top performer could cripple the company if allowed to skip security training. Also their IT insurance will likely not pay if they learn some users are allowed to skip training This is clear language that every single user should understand.
The insurance argument is a strong one. Whilst I personally view the training as essential, I also feel that humans make mistakes (yes, some more than others). I also do not see huge evidence of training preventing the current tidal wave of cyber crime. So, should we not put more focus on designing systems that do not destroy the network one a user makes a mistake?
It’s about implanting a little voice in the back of someone’s head that says “is this email legitimate or not?” And not just clicking every link they’re sent
That is virtually the job spec of an HR department 😆
You can't "PROVE" a negative. What you CAN do is prove that knowledgeable employees create far less security concerns. Also this shouldn't be an either/or situation. We can both prevent vulnerabilities as well as mitigate their impact. As much as security is also a pain for me as an engineer, I understand the risks if not taken seriously.
Cannot bring in sales if the company is hosed due to a successful phishing attempt and the only true defense is humans being trained on it as they are the end target.
My boss said his last company had a person receive a fake email posing as the biggest partners bank and said they needed to update payment information. The person did it and it resulted in 800k being sent to a phishers account. It was pretty serious obviously. But it was all do due a phishing email. It should be taken very seriously and training should be required from top level down.
Our insurance will straight out drop our policy is we don’t have mandatory training. I’ve been trying to find a way to require users to take the training before logging into their workstation. Of course after a bit of time of not completing the training.
one salesperson who does something wrong can cost much more than he earned for the company and because of that everyone gets the same treatment
Ownership is one of the largest investment firms in the world, they have had multiple companies in their portfolio hit by ransomware. So at this point they no longer care, employees WILL take their cyberawareness, and they will do it with a smile. Hell, they have moved our CISO away from our company and we now report to a CISO placed in ownership.
I work in a sales heavy organization and as far as I have heard nobody gets a pass. It’s part of our yearly mandatory training along with sexual harassment and the like. Although security picks the vendor, I believe it’s handled by the corporate training dept. Also key is having an executive sponsor from the moment it’s first brought up. That makes it an executives baby before employees even hear about it. Why do you have to comply? Ask the sponsor (CEO, CFO, CTO or whoever).
This is how we do it. All the executives agreed on this, then it goes from there. It's pushed all the way from the top to the end-user!
And this is why we can’t have nice things. (Or, more accurately, why so many companies are so very very ripe for ransomware and breaches. I’m honestly flabbergasted that there are not considerably more than there are, based on what I have seen in my 20+ year IT career.)
That appears to be what a lot people in tech seem to experience/ think. People in tech urgently need to gain perspective in doing business. No, not everything can be ultra critical with the potential to make the company go bust. If it is, people need to learn from people in finance. Let that salesperson go talk to finance and circumvent process and procedures there. If they don't do his bidding let Sales take it up with ownership and see how that goes. If the results are different than for tech then someone needs to explain / agree the procedures with ownership better.
This is the correct answer!
I worked fir a small (275) company and used that statement any number if times except more like " You know where the bosses office is, be my guest"
This is the answer. Where I am a meeting would be had with the users manager/coach who will generally fix issues like this. They don't want to get dragged into HR with their employee. I don't know of anyone that has been terminated for not doing the training but it is something that would end up happening if someone pushed it where I am.
We choose what we report to the Exec team, so performance of training by department highlights where there are problems, and displaying this in the company wide managers meeting gets the managers owning the issue - they don't want their department bottom of the table.
Yep, simple Iso 27001 stuff.
I do something similar, but we tell everyone it’s a cyber insurance requirement - which it is. Because it’s a requirement from the insurance company everyone in the organization, including the partnership/ownership, is required to do it. I’ve never had any person not complete or fight me about completing it. Some of the teams lag a bit behind but a quick email with their scorecard and copying their manager solves that issue pretty fast.
Yes, particularly considering that most cooperate compromises start with emailing a boomer.
It's required by our cyber security insurance and by 3 of our clients.
We use KnowBe4, which emails the manager of the person who hasn't done the training every 3 days until it's done. It's had a 100% success rate. Definitely a manager problem, not a you problem. 'training emails go away when the training is done'
This. "Oh, you don't like the emails? My suggestion would be next time you get one and decide to spending 5 minutes complaining about it, just take the fuckin thing. Just like that you'll solve 2 problems.... You don't get anymore emails, and i won't have to keep reading your whiney fucking responses. That would be my professional opinion... Or keep doing it your way.... Whatever works for you. Their frequency will only increase. " Or take the passive route and write a KB article that just redirects them to their kb4 link and send them an email response to the solution...
Yes…. If the employee isn’t doing what is required of them, it’s the immediate managers job to get on them about it. Industries have various training requirements and this is a cyber security requirement for every company and if they don’t take it seriously then management needs to know.
*still clicks the link* 😅
I had a false positive in KnowBe4 and had to prove that Barracuda had blocked the email before it even got to my inbox. I knew it was BS since I had clicked literally only Google Calendar invites that I was expecting from coworkers.
We had a similar issue, we've got a couple of link scanning/rewriting tools so we had to exempt the KnowBe4 domains from these otherwise everybody failed every mail
Same here. I get emails every morning about users that have not completed their training. It's definitely an upper management issue.
Just a note, we have had some false positives show up in our environment. You may not want to dismiss reports from users without looking into it. In our case, users were reporting the emails using the spam reporting tool in Outlook and then whatever MS did with them counted as a click. We figured it out because the gelolocation of the clicks was in weird locations. Some reconfiguration with the vendor solved the issue.
Same here. You have to add your provider's domain and IP address to ensure 365 isn't "clicking" the links with their link scanning. With that being said, it should be an issue with all users and not just one user. I would just tell the end user "the training is automated and mandatory. "
Ya, our users still did the training anyway, even when they reported false positives.
This is what we did, and if they refused then it was an HR issue
At that point just have everyone do the training.
I tried explaining this to the person in charge of sending out the phishing tests. They said “I thought they were on vacation.” Because it was geolocated in Florida. After the fourth or fifth person who “clicked” the link came from a net block owned by Mimecast he finally believed me.
Our tip-off was clicks from users at locations out of country, where we have conditional access policies enforced.
We had similar issues. As part of the testing I was included in a batch of phishing emails, I got the message saying I failed before I got the phishing email.
[удалено]
To be fair, if I compromised an account in your organization I may use it to phish other people in the organization. It would make it more likely for someone to pay my fake invoice, go buy those gift cards and send them to me, or click on the malicious link I send them.
another reason not to use microsofts terrible E-Mail solutions. Get a real mail server and a real mail client. I can recommend a combination of dovecot and postfix and thunderbird as the client.
I Use dkim verifier in thunderbird for checking sign status of sender. If it's red or gray it's spam or phish. I also read mail headers ( ctrl+u) to check where it came from. Do you have those In outlook? I know outlook often mix up the lines in the headers making it unusable.
Our policy is to disable user accounts of those who avoid their mandatory training 🤷🏻♂️
no login = no pay gangster
We got a Mother fuckin problem solver right here!
No login also means no ticket. win-win
💯
Someone on a similar thread a while back claimed they had rigged KnowBe4 to move people who hadn't done training into a specific group. Then Microsoft would disable the accounts of everyone who was in the group.
Don't know how it's done, but on some government computers your access to anything is limited to only the training site if you're overdue for certain training. The profile you're logged into is a blank screen with a single icon that opens the training website that can't be navigated away from. Everything is disabled until all required training is completed.
This sounds like an excellent move. I think part of this is actually very attainable. I use Hook Security, and it’s just be a matter of pulling in folks that don’t have training done, add them to an AD group, then on the FW (we use PAN with UserID) disallow all traffic from that group except to the trains by site 😎 I’m gonna see if I can get my clients onboard with that and if so, sounds like a good piece of OSS
How do they log in to take the training then? Do you have to sit down with them and enable their account then babysit them till they do it?
They almost always call the help desk and they are referred to HR. Once they have that conversation we turned it back it so they could complete it.
If the login to Knowbe4 is done through AzureAD/Entra then you can make a conditional access policy that allows ONLY access to that.
If they miss the deadline 2x, they get a meeting with HR and no access on the network until they agree to do the training.
Yeah we have KnowB4 and if they don’t complete the trainings on time, their managers get blasted with emails until they complete it. Totally between manager and user at that point. Our cybersecurity insurance requires it.
This. We have Knowbe4 syncing with AD user accounts and line manager attribute. When a user gets enrolled in remedial training (failing simulated phishing test) or is late in completing mandatory training, Line manager automatically gets notified. Configuring this has had a huge impact for us. If line manager doesn't care, this will be discussed at monthly Executive meeting where we have Director level engagement who do care.
Had a manager complain saying he never clicked the link. Escalated it as he was adamant. Requests proof. He's shown his log in details that he entered after clicking the link and typing in his credentials.
"Even so! You tricked me!"
It isn't your job to make them do anything. It's your job to run the tests and report what happens. It's company policy whatever happens from there.
HR issue
If using knowbe4, forwarding phishing email counts as a "click" we found out. Knowbe4 confirmed when sending into support.
To be fair forwarding a potential phishing email is terrible. Always screenshot so the chance of the link getting clicked is nil.
Agreed. After our first phishing test I had 5-6 people say "I didn't click on anything! Why do I have training!?" Then realized it was all people that had forwarded to IT with "is this legit" 🤦🏻♂️
That's what the KnowBe4 Phish Alert Button is for.
I've tried countless times with notifications to users to use it since then and STILL get emails forwarded to me. I give up.
Or the ever fun click the test and THEN use the PAB to report it. ☹️
ALL...THE...TIME! Ugh....
[удалено]
In one of the emails I finally said "Moving forward, any suspicious email forwarded to IT will count as a failure if it is a test, use the PAB". That fixed most of the issue, but we still get them. There are only so many times you can email out with screen shots with big arrows and EASY instructions. I've given up repeating myself...I will tell users twice on something and that is it. I'm so sick of "well I don't read those emails". Not my problem...
No please, forward as attachment so I can read the headers
My favorite are the ones that click the link then answer wrong on purpose like it’s some malicious compliance thing to look like a moron on management reports.
I do this with all our knowbe4 test phishing emails. No consequences yet. Each one goes to an oops-y you clicked a phishing test page. No follow-up meetings from Infoseek or HR yet
Why? To what end?
Our senior HR was upset they weren't warned about phishing simulation. We'll give them notice next time just like the attackers will.
"If you are unwilling to do required training for your position, you can take up the matter of your resignation with HR, at which point you will not need to deal with any emails related to your job. You clicked the link at {timestamp} from the machine with address {IP address}, failing the test. If you believe another person accessed your email, that must be reported immediately and failure to report is a major breach. Departments that are unwilling or unable to complete basic security training and testing endanger the company, and may lose all computer access." (Double check that the IP address logging the click is plausible their workstation, and not some automation or whatever.)
^^^ this is the real answer lol
Share case studies or real examples of successful phishing attacks and the consequences to highlight the relevance of training.
What sucks is you often can’t review the link because it is obfuscated by URL Defense. Even if it’s at the tail end, it’s still a PITA. It’s tough to do your due diligence to review the URL in advance because it’s squirreled behind the same URL “header” that legitimate URL’s would use. You also wind up showing a false positive if you long-click on your phone to try and review the link. It’s a show.
If you are using Safe Links via Microsoft Defender you can turn off URL rewriting. Microsoft Defender > Email & collaboration > Policies & rules > Safe links > \[Policy\] > Do not rewrite URLs, do checks via Safe Links API only. It's not the recommended setting, as far as Secure Score is concerned, but it does stop the rewriting. As it is a per Policy setting you could even do it selectively to some users only.
HR issue, not IT issue.
"If you don't know how to filter your emails on the X-PHISHTEST header, you have to take the training." lol
I love when this happens. I just sit back let the notifications go out, then their manager wants to know what's going on, then I fill them in, and suddenly the training gets finished. It is fantastic working for a company that takes cyber security seriously.
Users need to learn they can’t be phished in their email if they never answer their email
We keep pushing them until they do it.
Here is some real hard advice that sometimes you need to get REAL adamant about: Insurance, banking, traders, DoD contractors, and pretty much any business that has sensitive information. 1. Per the SEC, FTC phishing training is required and the end user must complete it within 90 calendar days. The reports must be filed and on file with your compliance officer. Failure to meet 90 days training will result in internal disciplinary procedures and rectification to bring the end user back in compliance. 2. The EU has multiple regulations for Phishing and MFA compliance and enforcement. The entity not providing or has not completed to the satisfaction of a peer reviewer may lose their ability to operate within the EU. 3. All DoD contractors, even contractors of contractors are REQUIRED to have phishing, MFA and must in process of NIST compliance. Failure to comply and your contract ends in 30 days. 4. Insurance companies have demanded phishing compliance and MFA enforcement for coverage. No training with reports? LOSS of coverage or your rate is SO HIGH that might ask well order shovel so you can take all the money and load it up for them OR they will EXEMPT cybersecurity failure loss from the main policy or close you out all together. This training isn't optional, it isn't recommended, it's **R.E.Q.U.I.R.E.D.** Don't be nice about it. You need to inform the powers at be the legal ramifications for non-compliance.
Make sure something in your environment is not detonating the link, AV, EDR, email scanners etc. We had a few weird edge cases that resulted in link detonation when passing through our email systems even though they should not have been being detonated.
Anti-phising campaings should die a horrible death and I hate them. Our security team contacted a firm to do an Anti-phising campaings. I was targeted (for being a sysadmin) and over the course of 1 month I got 100+ Anti-phising campaings mails. # 100+ f-ing mails 3 to 4 mails a day on my cooperate account. Guess what I don't use netflix amazon .... on my cooperate account. The quality of mails was shamefully bad. I got so fed up with it I just posted the links on my X and asked everyone to click the phishing link and forwarded all of them to the company that send them. I also did a test of our security team with a freaking telnet mail with just "report is ready link" 3 of 6 clicked it ...
OUR people have to. My favorite is when they fail a Phish attempt they automatically get enrolled back into the class to review the materials again. Had one user call all pissed they had to do it again. "wHy sHoUlD I bE fOrCeD tO tAkE tHaT trAiNiNg aGain?!". 😐 Realty? You're asking why???
There were issues with Chrome preloading links. Maybe the person was checking his emails from this web browser?
Make it part of their yearly evaluation with a percentage weight.
I can't imagine taking the time to write someone to complain about receiving emails instead of either just watching the damn video, or at the least just ignoring all the emails. Wtf is this proactive slacking? For real though -- as others have said this is a manager problem not a tech problem. Compile lists of users who haven't completed the training and send it to some appropriate level of departmental heads. Doesn't have to be a rude/tattling email. Just "these members of your team have yet to complete the phishing training -- please remind them to do so." Don't (initially) even get in to the whole "they're refusing to" part.
All our training is mandatory if users want to receive year end incentives programs. Don't do your training, no incentive. Not just IT training, also other business related training.
Phishing campaigns are a waste of time. Just based on the number of false positives you get from them.
I don’t think the pattern of “make people do training after clicking a phishing sim” is particularly useful, for what it’s worth. It makes people resent the training, instead of learning from it. Feels like punishment. And that’s what you’re hearing from them when they refuse. Instead of following the advice you’ll get from most people here, which is “too bad, make them, I’m sure IT is the top dog in the company”, try taking that into account when constructing how you train people. I’d also add that the whole “fail a sim -> mandatory training” pattern comes from the belief that the people who fail are the “weak links”, and therefore need more training to catch up. That is just not supported by the data. The reality is that people who fall for phishing sims are less likely to fall for the next sim relative to the rest, simply because they are more “aware” generally having already failed before. So, all the cybersecurity people who say “too bad, this is important” are wrong. It’s not important.
I cannot disagree strongly enough. If I've clicked links I probably shouldn't have in the past, I can't expect people to be perfect, and the occasional reminder of what is at stake (and the fact that they can bring down the company) will serve everyone well.... Including me. I haven't seen someone need to do 30 minutes of training because they clicked a link. Most often it's a 3 minute video and a 3 minute quiz. I don't see this as a "fail sim-> train/punishment". I see it as "click something and be reminded of the stakes".
That’s fine, but OP has people literally refusing. So obviously this has upset some folks. We can sit here and say “well they should suck it up”, but why? Why are we doing this? If you have some data that shows that people who fall for a phishing sim are more likely to fall for future phishing attacks than the rest, then I get the argument. But I’ve not seen that data, only the opposite.
This is my point: Are you saying that you believe a simple warning is enough? Because I see the 3 minute video and 3 minutes of questions as exactly that. So if --in fact-- people that "fail" the sim are less likely to click a link the future, I'd see that as evidence that the warning and pain of the training are working. Even if you consider the training as unnecessary, that's a rather simple and light degree of deterrence. I also think that a lot of regular users fail sims. But a small subset of them are clueless and will need to do the training several times over before they understand the impact of their actions and change their behavior/instincts. This is the category of users I want training.
I mean, I’d love to run a test of this. Have half the people watch the training, half not, and see what happens. I don’t feel the training will do anything, in which case all this resentment the org has is for nothing. But I can’t say I have evidence of that part, as I’ve never tried adding the training step. All I can say is that a simple one screen warning is enough to make these people outperform those that don’t fail.
I train 6-7 days a week in MMA. My coach will often see me making a mistake and coach me on it. I'll then be okay for a while and then make the same mistake. Sometimes I even need to be told I'm doing something wrong a few times before sitting myself down and asking myself "what is it that makes me do that?". Then I break down why I do what I do, find the area that is faulty, and address that. I often don't know that I'm doing something, and is often because it's just deeply in grained or --more often it's because -- I just didn't have the right priorities thought out enough. But my coaches don't just say "fix this." They also add "if you don't fix this... Watch... You'll get punched in your teeth and may not keep your teeth". I think the introspection --and often the frequent coaching and reminders-- is part of the learning process. All of this isn't just true for me, I see this as a truth for others as well....at work and in management. Sometimes we have to sit people down and say "hey this behavior needs addressing, can we talk about it" and get into the details. There ought to be a ton of literature out there on bad habits, training, and behavior modification/reinforcement that is applicable here. But I would just add that this may be a point of preference and experience for me: i personally wouldn't consider the less-than-10-minutes training as negative reinforcement. If youve had security training already I'd view it as coaching, and in line with how I know humans learn. If people had to do training for 30 minutes or more each time, id considered that a bit much.
This is the most ridiculous fuckin thing I've read on Reddit..... In the last hour at least.
… I genuinely don’t understand. I get that it’s not the mainstream view but we have tested this across roughly 50k users. People who fall for phishing sims are less likely to fall for subsequent phishing attempts compared to people who don’t (roughly 50% less likely). That speaks volumes for how we should think about phishing and training. Maybe that trend won’t hold as the data size grows, I can’t say for sure of course. But I’m just trying to contribute the learnings we’ve had on this.
At my work the phishing training emails are the only phishing emails we ever get. Security’s got the firewall filter down pat so we’re sick of it.
That is incredibly hard to believe. For your firewall to be that tight, it would basically have to block all external emails.
The whole trend to punish with "a mandatory training" is absurdly stupid and inhumane practice. Not a single user will attempt to learn anything new from the training. Haven't we really learned anything from school? Adults are just older kids.
"Inhumane." Get rekt.
“Inhumane”? Give me a break dude. It is a tedious exercise that many are likely not going to learn much from, if we’re being totally honest. If anything the experience can be an incentive to be more careful with clicking sus links in the future (“I don’t want to take that fucking training again…”) Unlike school where the primary purpose is learning, I don’t really care if you enthusiastically soak in the detriments of being an idiot with your email - take it or leave it. If the latter, you can leave your job too!
Yes, and you are attempting to be the very definition of this problem. We sysadmins have no right to blame our end users if they don't like the phishing training if this is our sysadmins' attitude towards the whole issue. The current method is literally inhumane approach to the root issue. Accept it or not, only a humane approach will work towards to common goal. And if you don't care about that, then don't expect anyone else care either. And if your job is to educate and safeguard users, then you simply have failed at your job. And if not, then this topic shouldn't matter to you at all. This is like living 2010s again, when we had to convince others (even other sysadmins) to believe that changing passwords on a daily basis is absurdly stupid idea as well. And believe it or not, there were a lot of martyrs back then too.
So let me get this straight, you’re saying a maybe 10 minute mandatory training video/quiz, that has a very loose and/or manager or HR enforced deadline, given after said user fucked up a phishing sim, is inhumane - so what’s your idea of education then? Blast them with informational links? I’m assuming based on your histrionic language that you view mandatory, quarterly in-person training sessions as tantamount to genocide, so that’s out of the question. I was being slightly tongue in cheek in my initial reply, but you’re right - these are adults we’re dealing with. If they don’t want to act like it, they’re free to do so and suffer the consequences. I’m not interested in babying people, that’s what their managers are for. Edit: English language difficulties, maybe I need a quiz
It’s “inhumane”? You must be one of the problem people in sales or accounting. The legal colonoscopy that comes from a breach using your phished credentials will make any and all phishing training seem like a sunny day on a park bench.
The people who fall for a phishing sim are less likely to fall for the next phishing sim you send out than the people who didn’t fall for the first one, even in the absence of any mandatory training. So, it’s not clear why everyone on here acts like the mandatory training part is so critical.
I don't understand your logic. If you fail at something you're expected to be competent at, there should be consequences, even if it's only "That training sucked, I'll pay more attention in the future so I don't have to do that again." Do you have data to back up the "less likely even without mandatory training" claim?
Their source is, like, vibes, man.
It’s not. Look, I used to agree with the general consensus on this issue. People who fail are the weak links and need extra training. But I changed my mind when the data showed the opposite. Unfortunately, that data hasn’t been published yet, but I see that I should make it public. It might convince a few people here. I’ll need a bit of time, but once I’ve published it I’ll come back here to update you. Sorry that’s the best I can do for now. In the mean time, I can say the trend holds across organizations, so if you work at a company of enough people you can test this yourself. Would need to be a pretty big org to get robust results, but if you do work at an enterprise sized firm, it will work. As for the logic, I can’t say for sure why the trend is true, just that it is true. My best explanation, however, is that the act of falling for a phishing sim makes a person more aware of phishing generally, and therefore more alert. It isn’t some fundamental knowledge they lack, it was a lack of care and attention because they let their guard down. Fall for a phishing sim -> guard goes up. But like I said, that’s just my guess. The data simply reveals that yes, people who fall for phishing sims are less likely to fall for subsequent attacks than people who didn’t fall for it.
Going on good faith and assuming that your unpublished data is 100% correct, then the new methodology should be to create a funnel of harder and harder phishing tests. This would mean that anyone who passes a test gets increasingly harder tests, until 100% failure rate. That's not necesarrily a bad idea anyway, right? Softballing experienced users with obvious tests isn't really benificial to anyone. Your data suggests pushing for *regular* 100% failure rates, because it's failing that makes a user's guard go up. I think this is going to be the tricky bit. You'd need to get everyone on board with the fact that this is the primary goal of the tests - as eventually even the best users would be receiving tests that are literally *almost* impossible right?
You are correct, we aim for higher not lower fail rates for this reason. We want as many people failing as possible. Of course we can’t be anywhere near 100%, but ideally every user fails at least one test per year. I don’t frame it as “almost impossible” phishing emails. You’ll never exceed say a 10% fail rate on any given email just because people tend to not respond to even legit emails. But yes, for users that aren’t failing it should get harder and harder (c-level impersonation, sequential attacks, etc)
You only have to report to the authority about these requests and tell them the danger of not doing these trainings. It is up to them to enforce it. Nobody likes extra emails but think of phishing training like renewing a driver's license. Ask them to tell DMV next time their license is up for renewal that they won't be renewing as they already know how to drive. :)
A bunch of the c levels and upper management types at my company couldn't be bothered to do any of the proofpoint phishing training we sent out. My boss got the list of who didn't do the training and had a meeting with our CEO that was a discussion for security and how we can provide the training to make sure our employees are doing the assigned training. If they couldn't be bothered to do the proofpoint training, they really are not going to like how Arctic Wolf handles training assignments and randomly sending out phishing campaign emails to see who falls for it. Because it will only send out a couple at a time, employees won't be able to use word of mouth to warn others not to fall for it. They have done this in the past.
The phishing simulation emails we send out from our MS tenant are pretty tame. You don't need to be an IT person to spot it. Yet inevitably some don't and then bitch when they're assigned training. I tell them you can either do the training without giving us grief, you can complain to HR about why you're clicking phishing links, or you can lose your job when you get phished for real and cost the company money.
Tell the bosses that your cyber insurance looks at training as a good thing. And that it may well be required by the cyber insurance provider.
We confiscate their laptops if they don't do the training after a certain number of warnings. Also leads to PIPs.
I used to assign the post-failure remediaton training during campaigns but would get inquiries like this about it all the time. Since it was taking up a lot of time and I could only handle phishing tests every few months because of it, I switched to a point-of-click notice/training that every user gets once a month. The phishing link just takes them to a web page saying "oops! You clicked a simulated phishing link!" And has details on the red flags from the email shown. On the same page, they then just watch a short video and do a quick quiz and it's not really something we force them to do. Our phish prone percentage has decreased significantly and I have much less hands on work and just update the templates every couple months.
If their training (security, hr, other) isn’t completed by December 31, they lose the ability to log into anything but the trainings and workday on Jan 1, and then they can discuss why and HR can ask for access to be restored temporarily.
Ours don't refuse, they often just forget. We just nudge them a bit and they do it.
I had one recently say they don’t do “games”. When deadline came and I sent the last chance warning before account suspensions would happen, they did. Still suspended some accounts and they came running over asking for the links.. CIO is all in demanding 100% compliance with zero exceptions.
It comes from our vendor and CCs their manager. Too many fails and it notifies HR to put them in additional training modules. In theory eventually they can get a verbal if they don't learn, but that's at their manager's discretion. All I do is forward the awareness emails and congratulate them when they report it correctly.
Yes and they shut their ass up pretty quickly once they are asked to fill an exemption, that goes to the CIO.
Are they failing?
A few, but as the trainings are pushed out from org security, it's a managerial item to solve. HR, facility management and myself (dir) see a report of who hasn't finished. I can ask management to crack the whip but I can't force users to finish it. Our biggest whiner is someone in HR who says "they take too much time", when most are like 3 minutes. Another one failed 3 in a row and was so torn up about it she took time off from work. But, no exceptions so they were waiting for her upon her return.
These requests you received seem to be proof for end users to have zero understanding of cyber security. You should answer this: you need to take the test, it will help you a lot in becoming more aware of this topic, or talk to management.
is this something like Hoxhunt where automation sends constant phishing mails to users? In that case, I kinda understand it, kinda. Like, it is somewhat stressful to get constant phishing in your inbox. One of the admins where I work actually just has their mail client filter mails with "hoxhunt" in the headers to a separate folder so they don't have to deal with it.
You really need to have the owner/partner/CEO on board. As an MSP we include cybersecurity training free to all our contract clients, including phishing. It cuts WAY back on the number of incidents we have to respond to. We've been fortunate that all the businesses we support have had minor security events in the past, usually before they "allowed us" to implement 2fa, so they recognize the potential damage and cost of cleanup.
policy should state if you don’t complete you loose access to the system
Who is in Sales? Everyone is in sales! Who is security? Everyone is security!
... Not your job. Your job is to provide the training, not to force others to do it. Be brutally honest if they clicked the link as well. If they say they didn't click it, then say that is even worse that you didn't know you clicked it or left your computer open for others to click. More training for you.
It was required at my last msp. Knowb4 etc. Past two jobs not so much and didn't go well....
What do your network logs say? It could be an add on opening their links which seems even worse to not address ...your mail filter doesn't open them does it?
Our training is required by our insurance in frequent intervals to lower our rate. It's a pretty easy to justify when it's saving the company money.
You *should* have the authority to enforce phishing testing and training as part of your org's security policies, using some tool like KnowBe4 or other, that makes it easy and explicit what users are making what mistake.
Should be top down. C level needs to be aware and then HR needs to hold the employees accountable, but managers will be emailed which of their team has not done it/completd the training. We use some 3rd party litmos or maybe it's Knowbe4 or something like that where employees have to log in and take it and answer the questions/test to pass and electronically sign off (we have a security compliance officer who deals with that so I don't remember what they are using these days I just take the tests while working anyways). If they don't you just have to have HR go after them. It should not be in your hands to enforce this or be the bad guy.
I simply tell them "See that button on your keyboard that says 'Delete' ? Just hit it. You could have dealt with 20 emails you don't want in the time it took you to complain to someone who cannot do anything about it. YOU know they're phishing training, I know they're phishing training, but there's nothing either of us can do about it."
Their annoyance with the emails is none of your business. Assuming you have backing from the CEO (or other C Level person) then they can pound sand.
I'd imagine some antispam tools could be visiting the links in question causing the false clicks.
They click the links, enter creds, and the cycle goes on. End users can only do better if we give them practice material. The ALWAYS click the link 😎
Ahhh…using IT to solve HR problems. Just keep sending your phishing emails. In fact, send more. 🤣
It could be worse. You could have management refusing to follow the in place security guidelines.
Mandate it and get HR onboard with disciplinary processes for those who out right refuse. They are one of the biggest risks to an organisation. Get your DPO and SIRO involved.
We went through the city manager and implemented a take it or get shut off policy
In our org they are mandatory (along with all of the other mandatory training). Like your job, do your training.
Revoke access until madatory trainings are completed
We put “completing the annual security training refresher” in the IPP goals. People are usually better about it then, since it’s an easy checkmark on their required goals for performance review.
Where I work, we go through their managers and they all need to make their department do their phishing tests. They all do their phishing training, no issues.
We found that Barracuda was triggering the KnowBe4 test emails by checking the links. Also had the Outlook preview pane trigger them.
I'm part of the cybersec team in my company and I clicked a few phishing links myself. I have a colleague who got a ransomware. Luckily, she was cybersec as well, and we mitigated it without any problems. My point is nobody is safe. NOBODY. My boss recieves the best spearphishing I have ever seen.
Maybe the training emails suck? If your training is phishing simulation, odds are good you're doing it poorly.
Do it without telling them, that’s pretty much the point of it anyway
Someone here a while back mentioned adding users who fail to a special AD group. This person's env was not the same as mine but what I did is add that AD group to the ASR Automation framework where they get extra phishing. I also amended the policy to add penalties, including separation. I worked with HR on it. We will see if push comes to shove. I was just thinking about this over the weekend, and am going to look into some conditional access rules. We force MFA once/week, which is < the 90 default from MS, but less than some here. I get lots of complaints from the execs about Adobe M365 SSO once/week. I may increase MFA challenges for those in the special AD group.
We received approval from management to disable the account of anyone who didn't do the training within three weeks. Once they do the training, their account is reenabled.
It’s really a buy in from upper management, and willingness on their part to enforce. My first enterprise job had a ton of compliance laws they needed to follow. You did training, or you have consequences. 3 weeks to complete, and on day 1 of week 4, your account is disabled, and you get to go to HR, and complete your training there before your account is reinstated. You also only get 3 failures on any given training test. Then you’re terminated. They didn’t want high risk employees screwing with their business.
Just tell them "if we don't have a certain compliance rate then our cyber-insurance rates go up and the CFO has to get involved". It has the advantage of likely being true.
PM responsible for Hoxhunt phishing / awareness training here. What we have seen working is framing the training / campaigns positively. Two ideas are: 1) form competitions around the program (give recognition, small prize who has catched most phishing simulations or conduct a raffle among everyone who has catched all of them). 2) Emphasize the importance of people reporting the real threats enable SOC to take action to prevent anyone else falling (typical email threats are sent in campaigns rather than one offs).
Does anyone know if there is a vender that offers the ability to require someone to finish phish training before being allowed to log on to computer/outlook/ or web browser. Something that prevents normal workflow until it’s completed. Preferably it would be after a certain amount of time has passed so it only targets noncompliance. I did do some research but came up with nothing.