Download this resource directly to understand the elements of a truly comprehensive security awareness program (beyond Phishing): http://bit.ly/MPPhish -- In today's business environment, getting phishing emails is a fact of life. Though cybercriminals continually seek new and terrifying methods to gain access to your network, phishing remains one of their most popular weapons. In fact, there was a 55% increase in spear-phishing campaigns targeting company employees from 2014 to 2015, according to a recent Symantec report. All of this Phishing means all kinds of phishing simulation vendors, promising to solve your phishing problems. The problem is that data from phishing simulators distract you from the real mission: to change employee behavior around Phishing. When your phishing tool's primary use is to identify technical vulnerabilities or to provide pretty bar charts for executives, you're missing out on a real chance to improve your employees' cybersecurity awareness.

1. DROWNING
IN PHISHING
Phishing Simulation ≠ Security Awareness

2. IT’S JUST A MATTER OF TIME
In today’s business environment, getting phishing emails is a fact of life.
Though cybercriminals continually seek new and
terrifying methods to gain access to your network,
phishing remains one of their most popular weapons.
Increase in spear-phishing
campaigns targeting
employees from 2014 to 2015
55%-2016 Internet Security Threat Report, Symantec

3. Why? Because employees keep falling for it.
LIKE PHISH IN A BARREL
The 2016 Verizon Data Breach Investigation Report found that
30% of phishing emails were opened in 2015; up from 23% in 2014.
Why would a cybercriminal try to fight through firewalls and other technical
safeguards when they could just get the login information they need
directly from an unsuspecting user?
Researchers also found that
USERNAMES AND
PASSWORDS
made up 91% of the information
stolen in phishing attacks.

4. All of this phishing means all kinds of phishing simulation vendors, promising to solve your phishing problem.
PHISHING IN CROWDED WATERS
In simple terms, it works like this: they send simulated phishing email messages to
employees and provide anti-phishing education for those who take the bait.
-Innovative Insight for Anti-Phishing Behavior Management, Gartner
IN 2014, PHISHING VENDORS SAW A
20%
GROWTH IN
REVENUE
17%
GROWTH IN
CUSTOMERS

5. MISSING THE FOREST
The most-touted aspects of these solutions are the reams of data
they provide about employees who have taken the bait:
who clicked where, from what device, at what time, on which
browser, etc., etc.
But focusing too much on the
minutia of this data means you
miss the forest for the trees.

6. From our perspective,
it’s easier to drown in phishing
data than it is to profit from it.
Data is wonderful—except when it distracts you from the real
mission, which is to change employee behavior around phishing.
When your phishing tool’s primary use is to identify technical
vulnerabilities or to provide pretty bar charts for executives,
you’re missing out on a real
chance to improve your employees’
cybersecurity awareness.
DROWNING IN DATA

7. THAT TEACHABLE MOMENT
Now, most phishing vendors acknowledge the
learning side of phishing simulation by offering
training at the point the phishy email is clicked.
The goal is to take advantage
of the so-called “teachable
moment” when an employee
slipped up and fell for the
phishing bait.

8. But there’s no guarantee that a “teachable moment” is also a “learnable moment.”
This is not to say that offering some form of
training at the “spot of the foul” will never work.
But, hyper-targeted anti-phishing
training alone should not be
considered a saving grace.
Phishing data shows that most “caught” employees quickly close out of the
email and delete it once they realize what happened—effectively voiding that
sought-after “teachable moment.”
Moreover, a chagrined employee who just learned they fell
for a fake phishing attempt is probably not in the best
mindset to learn anything. (Think of how you feel if you’re
caught by running a red light by a camera!)
TEACHABLE ≠ LEARNABLE (NOT ALWAYS, AT LEAST)

9. In their 2014 report Innovative Insight for Anti-Phishing Behavior Management, Gartner researchers write:
“Assess your organizational culture first,”
BUT DON’T TAKE OUR WORD FOR IT
“Anti-phishing behavior management solutions are
not a tool for initiating cultural change.”
they continue,
“and deploy anti-phishing as part of a
comprehensive program of security
behavior management and education.”

10. It’s easy to equate anti-phishing training with security awareness.
Many phishing vendors do this all the time.
If phishing is the most common way in for cybercriminals,
then anti-phishing training should keep you covered, right?

11. We believe
phishing vulnerability
among your employees may be
just the tip of the iceberg, indicating larger
organizational problems.
Let’s dig a little deeper
with an analogy…

12. A stuffy nose, headache, and fever can all be treated individually
with various kinds of medications to get relief. But, if you only
treat the symptoms (painkillers for a headache, for example),
you’re not addressing the root of the problem.
In fact, treating just the symptoms may mean it takes longer
for you to address the actual problem – a viral cold.
Most often, taking a more holistic approach to
your cold—plenty of water and rest, while your
immune system does its job—is the best path
toward wellness.
PHISHING AS A SYMPTOM

13. We think the same concept applies to an
organization whose employees proved
particularly vulnerable to a phishing
simulation.
That symptom signals
a deeper affliction:
a lack of cybersecurity
awareness.
PHISHING AS A SYMPTOM

14. Susceptibility to phishing can
represent a fundamental
misunderstanding of security
best practices organization-wide.
An employee population that falls
prey to phishing is a sure sign
that security best practices are
not widespread.
PHISHING AS A SYMPTOM
It’s a symptom that calls for a more comprehensive approach.
As much data as a simulated phishing
campaign will collect, it can’t gather
the full picture of your organization’s
security awareness level.

15. At MediaPro, we believe a simulated phishing campaign is
a great way to impact employee awareness about
phishing…but it should not stand on its own.
Since any phishing weakness among your employees
is likely a symptom of a larger problem, anti-phishing
training alone won’t provide the cure. It’s likely that
the same employees who click on phishing emails
also have a poor grasp on things like password
security, safe mobile computing practices, and more.
BEYOND THE PHISH

16. A comprehensive security awareness program will
allow you to identify all of your behavioral risks and
includes regular training and reinforcement that seeks to
change employee behavior and build a risk-aware culture.
Such a culture will help inoculate an
organization against myriad cybersecurity
threats for years to come.
BEYOND THE PHISH

17. More than 500 of the world’s most risk-aware organizations have trusted MediaPro
to provide comprehensive, expertly-crafted, employee awareness programs based
on proven adult learning principles.
FIND OUT WHY
MediaPro offers all the tools and services you need to run a comprehensive
awareness program: phishing simulation, knowledge assessments, and an extensive
library of varied learning content.
NOW WHAT?