WHITE PAPER

Security Awareness Training

Buyers Guide
Sharpening your organizations
human defenses against phishing threats.

www.phishlabs.com

Contents
1 The Need for Security Awareness Training
2 Critical Elements of a Security Awareness Training Program
4 Solution Options
6 Defining Success

Security Awareness Training Buyers Guide

The Need for Security Awareness Training

To paraphrase an old saying, a wall is only as
strong as its weakest point. When it comes
to system and data security, people are
often that point.

Employees are
attackers top
targets. And theyre
usually considered
the top security
risk, typically
clicking on 20% of
phish.

Firewalls, anti-spam appliances and other

technical countermeasures are essential
components of any security program. Yet
the best technologies block, perhaps, 99%*
of all phish. Theyll never be 100% effective
because reaching that point would block too
many legitimate communications.
Considering that an average 5,000-person
company receives about 276,500* spam
emails a day, the best filters still let 2,765
pieces of spam through daily. Of that, on
average, 1.5%*, or 41 per day, are phish.
People are the last line of defense to prevent
unblocked attacks from clearing a path to
your systems and data. To serve that role
effectively, employees must be aware of and
highly sensitive to threats and ever vigilant
in defending against them.
Employees are attackers top targets. And
theyre usually considered the top security
risk, typically clicking on 20%* of phish.
But a security awareness training (SAT)
program can convert employees from a
vulnerability to an asset by greatly increasing
their awareness of threats, increasing
their vigilance and conditioning them to
report suspicious emails to the appropriate
security teams, who can then investigate
and roll out defenses against new attacks.
After reading this buyers guide you will
understand:

pros and cons of different

The
approaches to SAT.

key areas every SAT program should

The
address.
PhishLabs. All Rights Reserved.

If an organization has 5,000 employees, it...

RECEIVES ROUGHLY

276,500
SPAM EMAILS

A DAY

ADVANCED EMAIL
PROTECTION TOOLS

BLOCK 99%

OF SPAM EMAILS*

This means that 2,765 spam emails still bypass

advanced email protection tools each day.

1.5%
are phish

= 41

PHISH EACH DAY

Thats 1,200 phishing emails successfully

delivered to the company every month.
Or, over 14,400 phishing emails landing
in employee boxes each year.

One in five users click on links in phishing emails*

For a company of 5,000, thats

2880
CLICKS ON
PHISHING

EMAILS EACH YEAR.

That's 240 infected computers each month, or worse,

EIGHT OPPORTUNITIES

FOR A DATA BREACH

EVERY, SINGLE DAY.

What to look for in an SAT program.

to measure success of an SAT
How
program.
www.phishlabs.com

Security Awareness Training Buyers Guide

Critical Elements of a Security Awareness Training Program

Various components are essential to the
success of a security awareness training
program, including the following:

Team: Clearly defined roles and

The
responsibilities, along with management

updates at specific intervals, are essential

for success. Further, the team must have
the authority (and backbone) to conduct
ongoing phishing simulation testing
that will not always be well received by
employees.

Plan: A clearly written

Training
training plan provides the framework

Measuring progress
is arguably the
most crucial part
of any security
awareness
program.

for the overall program and allows for

controlled, measured adjustments as
the need arises. The plan should be
customized for your organization using a
combination of the latest threat trends,
knowledge of industry-specific threats
and company-specific factors.

A baseline assessment
Assessments:
provides a high-level evaluation of your

organizations overall security awareness

and serves as a basis to measure the
success of the training program. An
assessment of the entire organization,
rather than a subset of employees,
provides a true snapshot of your
organizations susceptibility to phishing
attacks.

PhishLabs. All Rights Reserved.

and Social Engineering

Phishing
Simulations: A library of the latest

attack simulations based on real-world

threat activity against your organization
or its industry is essential. It allows
your program to be relevant to your
organization, but it must be continuously
updated to reflect emerging threats.

To ensure effectiveness,
Training:
training should be focused on teachable
momentsparticularly, when users fail
a simulated phishing attack. To keep
employees engaged, the training should
fit within normal attention spans and
provide a selection of engaging short
videos, infographics and other content.

Progress Measurement:
Continuous
Measuring progress is arguably the most

crucial part of any security awareness

program. To ensure detailed insight into
the strengths and weaknesses of your
organizations overall security, track
the progress of specific business units,
departments or other organizational
units to allow for the quick identification
of problem areas and micro-trends. Also
measure performance based on attack
types and levels of sophistication. Not
all attacks are the same. Measuring
performance against simulated attacks
that dont reflect reality wont show
an accurate picture of performance
improvement.

www.phishlabs.com

Security Awareness Training Buyers Guide

A security awareness
Languages:
training program must condition the

entire organization. Thus, in multilingual

organizations the program should
provide attack simulations and training in
all employees languages.

As new threat
vectors arise, a
flexible program
needs to adapt to
continue to protect
the organization.

Current: Threats
Continuously
continuously change and evolve. Keeping
an SAT program up-to-date is crucial
for its success. There are numerous
resources that can help you to stay
abreast of the latest attacks, including
media outlets and industry associations.
However, the most important resources
are security teams that deal with specific
attacks targeting your organization daily.

to Administer: The amount of

Easy
administration involved will depend

on the size and complexity of your

organization as well your approach
to implementing and managing the
program. The administrative workload
can significantly impact the success
of the program and should be a top
consideration when choosing a solution.

Adjusting an SAT program

Flexible:
based on simulation testing results

and external threat factors allows it to

maintain relevancy and effectiveness. As
employees are tested, specific groups or
individuals may require special attention.
Further, as new threat vectors arise,
a flexible program needs to adapt to
continue to protect the organization.

PhishLabs. All Rights Reserved.

www.phishlabs.com

Security Awareness Training Buyers Guide

Solution Options
Broadly speaking, SAT solutions come in
three flavors:

Create, execute and manage

Internal.
it yourself using only internal resources
(manpower & technology).

Purchase SAT tool(s) from

Self-Serve.
a vendor, but use internal personnel to
manage and maintain the solution.

Managed. Use an external vendor

Fully
to provide the SAT tool(s) and fully

manage the training and testing program.

The following discussion examines each of

these options.

Internal
Supporting security awareness training
using only internal resources is possible, but
you have to ask, Why would you want to?
Supporting an SAT program falls outside of
the core mission of most organizations. In
addition, the budget required for dedicated
staff to plan, create, manage, monitor and

Internal

Self-Serve

Fully Managed

PhishLabs. All Rights Reserved.

support the programincluding not just

providing training, but also developing
the necessary tools and creating, running
and measuring relevant, real-world attack
simulationsis often much higher than the
cost of a self-serve or fully managed option.
PROS:

to shape the program to be very

Ability
specific to the organization
control of every aspect of the
Total
program
CONS:

insight into real-time, real-world

Lacks
threats emerging in the wild
to maintain relevancy and
Difficult
effectiveness

significant time and effort from

Requires
dedicated internal resources
is not one of the organizations core
SAT
competencies

Ease of implementation

Ease of implementation

Ease of implementation

Ease of management
Flexibility of solution

Ease of management
Flexibility of solution

Ease of management
Flexibility of solution

www.phishlabs.com

Security Awareness Training Buyers Guide

cost of ownership of a
Total
comprehensive program can be very high

Over time, commitment often wanes,

eventually falling below the minimum
required level

Self-Serve
In a self-serve model, the organization
purchases tool or tools for the
implementation and on-going
management of the program. The tool(s)
provide the majority of the capabilities
needed to conduct assessments, create
and launch phishing simulation campaigns,
assign training, monitor results and more.
This can improve the quality of the overall
program compared to a fully internal
approach, but it still requires significant
internal resources to manage the program.
PROS:

provide a robust set of tools to

Can
launch and manage a program

a selection of simulations and

Provides
training, allowing you to customize
(somewhat) the program to specific
needs or security weaknesses
CONS:

requires significant time and effort

Still
from internal resources

Fully Managed
A fully managed service requires little to no
hands on activity by your organization
and typically requires no onsite hardware,
software or other service tools beyond those
supplied by the vendor. Service reports,
analytics and other relevant information
customized for your organization are
provided at regular intervals to allow for
needed adjustments and to ensure the
program is optimized. The scope of the
solution will vary depending on the vendor,
but superior outcomes can be achieved if
the vendor uses its industry-specific and
operational security experience to tailor the
solution to your organizations exact needs.
PROS:

a comprehensive security
Enables
awareness training program using the
industrys latest best practices

experience and expertise

Leverages
gained serving a variety of companies

advantage of the vendors broad,

Takes
real-time experience of ongoing attacks

across your industry, including emerging

threat vectors

on a wealth of pre-existing
Draws
operational security experience

a cost-effective, turnkey solution

Provides
that can be deployed quickly

and simulations will likely still be

Training
Delivers focused subject matter expertise
somewhat generic and not fully tailored
to the organizations needs

CONS:

wont make full use of real-time

Likely
Dependence on an external team
insights into threats emerging in the wild
matter expertise must be kept
Subject
up-to-date, despite the topics not being
core to the organizations mission

time, commitment often wanes,

Over
eventually falling below the minimum
required level

PhishLabs. All Rights Reserved.

www.phishlabs.com

Security Awareness Training Buyers Guide

Defining Success

A successful
security awareness
training program
should enhance
overall security
awareness and
improve employee
vigilance in a
measurable way.

Some success measurements may be

subjective, but, at the most basic level,
a successful security awareness training
program should enhance overall security
awareness and improve employee vigilance
in a measurable way. Since success
may mean different things to different
organizations, its simpler to explain what
a successful program looks like in terms of
overarching common characteristics.
At a minimum, you should consider security
awareness training to be successful only if all
of the following are true:

rates on simulated phish decline

Click
significantly from the baseline
measurement.

are suspicious of all emails

Employees
arriving in their inbox.
are vigilant, reporting
Employees
suspicious emails/activity to the
appropriate security personnel.

Vigilance remains high over time.

security awareness training program
Your
is fully integrated into your overall

security program, allowing for quick

adjustments to simulations and training
based on the real-world threats targeting
the organization.
Metrics are closely monitored and
communicated and adjustments are
made as needed.

ROI of the program can be clearly

The
articulated to management.

SAT CHECKLIST
When selecting an SAT program choose
one that:
Doesnt overtax your internal resources.
Is built and delivered by a team that
has comprehensive training and
operational security experience.
Is or can be tailored to reflect specific
threats faced in your industry and by
the job functions in your organization.
Can be updated to incorporate new
threats.
Draws on real-time, broad-based,
operational insight into current and
emerging threats.
Facilitates realistic phishing attack
simulations.
Provides engaging training that
holds interest while explaining and
reinforcing the necessary defenses.
Focuses on delivering training during
teachable moments.
Allows easy, fast reporting of new phish
directly from email clients.
Conditions employees to report
suspicious emails.
Filters out reports of simulated test
phish to reduce the security team
workload.
Provides easy-to-use reporting with an
adequate level of granularity.
Ensures continuing commitment to
security and the SAT program.

PhishLabs. All Rights Reserved.

www.phishlabs.com

Security Awareness Training Buyers Guide

Sources
The Radicati Group, Inc. Email Statistics Report, 2015-2019 (2015)
https://www.symantec.com/security_response/publications/monthlythreatreport.jsp
https://usa.kaspersky.com/internet-security-center/threats/spam-statistics-report-q12014#VstRv5wrKUk
http://www.mcafee.com/us/resources/data-sheets/ds-email-protection.pdf
Christina, V.; Karpagavalli, S.; and Suganya, G. A Study on Email Spam Filtering Techniques.
International Journal of Computing Applications IJCA 12.1 (2010): 7-9. Web.

PhishLabs. All Rights Reserved.

www.phishlabs.com

PhishLabs is the leading provider of 24/7 cybersecurity services that protect against threats that
exploit people. The company is trusted by top organizations worldwide, including 4 of the 5 largest
U.S. financial institutions. PhishLabs combines proprietary technology, intelligence, and human
expertise to rapidly detect, analyze, and stop targeted cyberattacks before they impact organizations.
Additionally, the company provides robust threat intelligence that strengthens existing cyber defenses
and optimizes threat prevention. Leading organizations partner with PhishLabs to more effectively
disrupt targeted cyberattacks, prevent data breaches, and reduce online fraud.
www.phishlabs.com | [email protected] | +1.877.227.0790

2016 Copyright Ecrime Management Strategies, Inc. All rights reserved. PhishLabs and the PhishLabs logo are trademarks or
registered trademarks of Ecrime Management Strategies, Inc. in the United States and in other countries. All other trademarks
referenced are the property of their respective owners.