Many current cybersecurity training programs aren’t truly effective and don’t necessarily reduce the risk of employees falling for phishing scams, according to a Sept. 17 report from University of California at San Diego researchers.
Certain training appears to be ineffective because most employees don’t engage with the embedded material, the researchers found. About 75% of employees engaged for a minute or less, and a third closed the training page without engaging with materials.
“This does lend some suggestion that these trainings, in their current form, are not effective,” said Ariana Mirian, one of the study authors who conducted the research as a PhD student in computer science and now works as a senior security researcher at Censys.
As part of the study, the research team evaluated the effectiveness of two different types of cybersecurity training during an eight-month, randomized controlled experiment. They deployed 10 different phishing email campaigns among more than 19,500 employees at UC San Diego Health.
Overall, the researchers found no significant differences in the likelihood of falling for phishing emails between employees without training and those who had recently completed an annual, mandated cybersecurity training.
In addition, they found little difference in failure rates for employees who completed embedded training, which shares anti-phishing information after someone engages with a phishing email. In fact, embedded phishing training only reduced the likelihood of an employee clicking on a phishing link by 2%.
As time went on, employees were also more likely to fall for phishing emails. During the first month of the study, only 10% clicked a phishing link, but by the eighth month, more than half had clicked on at least one link.
“Researchers were trying to understand which of these types of training are most effective,” the UC San Diego report said. “It turns out, as currently administered, that none of them are.”
Certain types of phishing emails also increased the likelihood of clicks. For instance, only 1.8% of employees clicked on a phishing link to update their Outlook password, while 30.8% clicked on a link that falsely claimed to be an update to UC San Diego Health’s vacation policy.
In response, the researchers suggested that organizations refocus their efforts to combat phishing on technical countermeasures. In particular, they recommended two-factor authentication for hardware and applications, as well as password managers that only work on correct domains.
HR plays a critical role in both preventing cybersecurity attacks and responding when one happens, experts told HR Dive. HR often helps run anti-phishing training, meaning efficacy of that training may lie partly in HR’s domain.
CHROs, in particular, can take a more active role in digital security, especially as more HR functions incorporate automation and artificial intelligence tools, according to a Gartner report. Gartner identified four steps HR leaders can take to ensure data protection and build trust in their HR systems, such as establishing third-party risk management and strengthening a culture of security.
