Is email security training a waste of your time?

Posted by Gemma Sirett on April 29, 2019

Given the volume of high-profile cyber attacks making headlines, it’s little wonder the government is urging organisations to step up their cyber and email security training[1]. But can user training ever hope to keep pace with the constantly evolving threat landscape? And who decided user training was the right solution in the first place?

If users are the ones being tricked, train users and they won’t get tricked. Easy! Except it doesn’t quite work like that. Most users can’t be trained in complex IT processes, simply because they’re not IT experts. So why is so much emphasis still placed on training users to identify sophisticated cyber attacks? Well, attacks such as spear phishing are difficult to prevent technologically, so IT admins know they have to rely on users to solve the problem they can’t.

Times have changed for email-based cyber attacks. Email used to be largely used as a mechanism for delivering malware. But developing systems to detect and block this type of attack was straightforward – the systems were implemented and all was right with the world. That is, until attackers realised they could trick users into doing something they shouldn’t, like paying money into the wrong account, or entering their credentials into a legitimate-looking website. A few defence platforms tried to keep up with this new type of threat, but soon gave up. Email defence was like a static firewall, and couldn’t account for the proactive management of new threats. The technology was no longer sufficient, so users were called on to bolster the defences.

To err is human...

Humans make mistakes, and no amount of training will negate that. What’s more, users can never be trained on all the advanced techniques attackers use to impersonate a legitimate email address, such as Punycode. It’s neither logical nor fair to expect otherwise.

“Relevant training can help users spot phishing emails, but no amount of training can help them spot every email.”[2]

There needs to be a balance – make sure users are informed, while keeping them out of the firing line. Although users will ultimately need to decide whether they are going to treat an email as legitimate or not, IT security should take away the need for them to learn technology and advanced detection techniques. Technical problems should be dealt with by technical people.

Teach users the key ingredients

Instead of teaching users how to identify and tackle each and every cyber threat, focus on areas that will always be applicable, and those that are realistically within their control. To make it effective, train users:

  1. to understand that adversaries can and will contact them directly
  2. to be vigilant and suspicious – if it’s not expected or usual, they should challenge it
  3. how to report suspicious emails
  4. with examples specific to their job, or at least to the sector you work in
  5. from the top down – your C-suite must be seen to lead by example for any cyber security initiative to be taken seriously

“The individuals that were in charge of cyber security day-to-day often suggested that more engagement from board-level staff would help improve cyber security in their organisation. This was, they felt, because board members set the organisational culture, which affected how seriously any policies and processes were taken.”[3]

Replace training with technology

Invest in cyber security solutions that remove the burden of being on the frontline of email security defence, and support you in getting on with your job. You need to be given the opportunity to instantly recognise if an email is potentially not from a legitimate source, or if the content needs further investigation before you do anything. You need to be presented with enough information about an email to make an informed decision as to its legitimacy, without unnecessarily technical training on how to spot malicious emails.

Footnotes
  1. ComputerWeekly, ‘Government urges businesses and charities to up cyber security’
  2. National Cyber Security Centre, ‘Phishing attacks: defending your organisation’
  3. Department for Digital, Culture, Media & Sport, ‘Cyber Security Breaches Survey 2019’