Barracuda Networks, following its acquisition of PhishLine, wants to encourage companies to take a more positive approach to cybersecurity training, helping users how to better recognize spear-phishing attempts along with other forms of cyberattacks that rely on social engineering to trick them into giving up their credentials.
A series of Barracuda PhishLine Levelized Programs is designed as an alternative to the widely used click-rate metric employed to track cyber-resiliency by counting how many times employees click on a URL or download a piece of content they shouldn’t. Dennis Dillman, COO for the PhishLine business unit of Barracuda, said while the click-rate metric is still appropriate in some cases, more sophisticated organizations want to move to a user training model that is based more on a rewards model akin to gamification.
The Barracuda PhishLine Levelized Programs make use of incentives that recognize employees who successfully resist social engineering crafted by PhishLine to test their overall cybersecurity awareness, said Dillman. This multimetric approach focuses more on education as users work their way through a series of levels, rather than trying to entrap users and then punish them for being wrong.
Each user can be tracked, enabling cybersecurity professionals to apply rules focused on improving the cybersecurity resiliency of users based on what they do and don’t recognize as some form of cyberattack employing social engineering techniques, Dillman said. That approach tends to better reflect how adults learn in corporate settings while setting up a much less-adversarial relationship between users and IT security teams.
Dillman said Barracuda doesn’t expect every organization to embrace Barracuda Levelized Programs. Many may be perfectly content using the existing click rate metrics that the PhishLine platform already supports. But at time when many organizations are concluding that the last line of cybersecurity defense is the user, more dollars than ever are being poured into user training. Because cybersecurity criminals have been able to routinely trick users into downloading malware, all the investments being made into network security at the edge are called into question, as most ransomware attacks involve users downloading content loaded with malware that rapidly encrypts data as it moves laterally across the organization.
Naturally, there always will be some users who get fooled. But the number of instances where social engineering attacks are employed to distribute malware can be contained by increased user vigilance. In the meantime, IT organizations are getting better at detecting and containing malware at the endpoint, in addition to improving their ability to recover data that has been encrypted.
Cybersecurity clearly needs to be a collaborative effort to succeed. Users should be encouraged and rewarded for identifying cybersecurity attacks based on social engineering attacks. That information is critical to IT security teams trying to block known senders of malware from accessing a corporate network in the first place. But most users are just going to keep their heads down and hope for the best unless otherwise encouraged. Treated right, users can quickly become an indispensable element of any cybersecurity defense strategy.