.png){kind=logo}
The recent cyberattacks involving Uber, Okta, and Twitter have affirmed cybersecurity experts' worst fears: Phishing remains disturbingly effective and leaves lasting damage when combined with social engineering.
A study conducted by the Swiss public university ETH Zurich found that phishing simulations, a security training method that many companies rely on, is often ineffective. The findings suggest that employees who are prone to clicking on potentially malicious links often do so repeatedly, and that those who know better often eventually experience lapses in judgment, if they're exposed to enough phishing messages over time.
However, the mode of training delivery matters immensely. Data from Hoxhunt, an enterprise security awareness training platform with a distinctive approach to phishing education, reports that global fail rates fell from a baseline of 14% to 2% following use of the platform. This means that the average Hoxhunt user is 86% less likely to click on malicious links after just a few dozen simulations and microlearning lessons.
"Awareness training can help reduce human error and promote cross-collaboration between security teams and other organizational departments," notes Hoxhunt CEO and cofounder Mika Aalto in a recent op-ed. "However, these legacy security awareness programs are no longer effective, as evidenced by the fact that the human element continues to feature heavily in most breaches."
Hoxhunt prioritizes email-based training, since inboxes are where most phishing attacks originate. Instead of burdening every employee with a standard set of cybersecurity lessons, Hoxhunt adapts to the user instead.
The platform customizes learning paths based on an employee's past interactions, experience and skills, avoiding the typical one size fits all approach some simulation-based training platforms use.
"Because most attacks start with people, security and risk management strategy must as well. Install the training, processes, and technologies necessary for catching the sophisticated attacks that technical perimeters will always miss, no matter how much money is poured into them," Aalto adds.
"Automation, adaptive learning, and artificial intelligence/machine learning can help deliver personalized training at scale. Why is that important? Because people need to participate frequently with relevant training that stays at the edge of their skill level in order to improve and stay engaged."
The people-first model is also apparent in Hoxhunt's approach to delivering lessons. Microlearning, or delivering lessons in easily digestible chunks, is the norm. This delivery method has significant advantages. For one, training is less likely to interrupt a user's daily tasks, removing a significant barrier to engagement and reinforcing the need to always stay alert to suspicious messages.
Secondly, microlearning gives Hoxhunt a steady stream of learning feedback through user data. The result is more precise customization and a learning experience that adapts to the user more effectively. Organizations can thus map their employees' security skills better, revealing any gaps quickly before they become an issue.
"Incorporating gamification can transform employee mindsets and result in the detection and resolution of the most sophisticated attacks," says Aalto. "It puts users in the mind of real attackers and leads to a better understanding of how to detect the most malicious attacks. In practice, it also results in an increased volume of employees reporting suspicious activity to security teams, rather than simply deleting or ignoring it."
Hoxhunt's platform removes the intimidatory factor everyday employees commonly associate with cybersecurity. The ETH Zurich study highlighted that most simulation-based platforms fail because employees find phishing identification intimidating, given the potential negative impact and technical know-how attackers display.
As a result, employees rely on company-issued warnings in emails to help them identify potential phishes, negating any progress their training platform might have delivered. Hoxhunt's gamified approach builds confidence in a safe yet competitive environment.
The platform delivers realistic training scenarios combined with instant feedback. In this environment, users gain confidence through the rewards on offer, spurring them to boost their skills and change their behavior when faced with a real threat.
A common headache security trainers at enterprises is ensuring their programs reach employees at the right frequency and at the right time. Achieving these goals is challenging and often leads to significant operational costs, something that might not receive executive buy-in.
Hoxhunt's platform helps companies to automate training and focus on high-level data that reveals gaps in security awareness. The microlearning approach ensures training frequency is high, giving employees a steady stream of lessons and confidence in tackling potential breaches.
Another side-effect of automation and rewards is greater behavioral change and knowledge retention. "When training is positive, employees become more eager to participate in developing their skills and reporting threats. Feedback and recognition are important factors within this," says Aalto.
"Achieving noticeable behavioral changes takes time, effort and dedication. Challenging the notion that people are the weakest link in organizations and adopting behavioral change platforms will create a strong human detection engine, one of the most impactful ways to lower organizational risk."
Thanks to the way Hoxhunt uses automation for positive reinforcement, security departments can define changes to their training programs and rest assured in the knowledge that Hoxhunt's platform will continuously deliver lessons. Instead of focusing on delivering training, security teams can focus on identifying trends.
The result of this value addition is immense. Organizations can quickly redesign their training approach to reflect current times, something critical given the ever-increasing complexity of attack methods.
"Phishing attack templates and malware have also gotten alarmingly good recently. From the millions of email threats my company has analyzed, we're seeing more and more spoofs that are nearly indistinguishable from the real thing," Aalto writes. "No matter how tight your technical filters are, malicious emails will always slip through. At that point, all that's standing between attackers and your crown jewels are the good email habits fueling your human firewall."
Thanks to Hoxhunt's people-first, gamified, and automated approach, security training is no longer the challenging task it once was. As simulation-based training continues to evolve, Hoxhunt is leading the way and redefining what security education looks like.
Join our WhatsApp Channel to get the latest news, exclusives and videos on WhatsApp
_____________
Disclaimer: Analytics Insight does not provide financial advice or guidance. Also note that the cryptocurrencies mentioned/listed on the website could potentially be scams, i.e. designed to induce you to invest financial resources that may be lost forever and not be recoverable once investments are made. You are responsible for conducting your own research (DYOR) before making any investments. Read more here.
