Of course, just as is the case with technology, nothing will make an organization bulletproof. But Hadnagy said good training can dramatically lower the risk. He spoke of one company that hired his team two years ago to test their awareness, and 80% of employees clicked on phishing emails, 90% fell victim to vishing and 90% were duped by one of his team members impersonating a person at the help desk.
"We went to town educating them, and then in a later test, which we made more difficult, they shut us down," he said. "We got nowhere."
That, he said, shows how effective good training can be. "Statements like, 'There is no patch for human stupidity' are damaging to the belief we can fix this," he said. "It's not about humans being stupid, but about humans being unaware and uneducated, and having no direction on what to do when attacks occur."
5 tips to ward off social engineering
To overcome "clueless worker" syndrome, experts offer the following tips for effective training:
- Security awareness should be a continuous state of mind. Effective training can't be a once-a-year event.
- A check-the-box presentation will be quickly forgotten. Remember, compliance is not security.
- Make it relevant - workers tend to remember something they believe will protect them, at work and at home.
- Make it specific - executives are likely to confront different threats than plant workers.
- Make it real-world. Turn the failure to spot a phishing email or an impersonation into a teachable moment.
Sign up for CIO Asia eNewsletters.