What’s Next for Phishing Awareness Training Providers?
Advanced Phishing Threat Protection with IRONSCALES
In our previous blog post we wrote about the ongoing consolidation of the phishing awareness training subsector of the cybersecurity industry, which is being driven by an increasing demand for comprehensive email protections to combat today’s sophisticated social engineering campaigns and advanced persistent threats (APTs). In the two weeks since, more evidence of consolidation has emerged, as phishing awareness training veteran PhishMe announced its acquisition by several private equity firms at a valuation of $400 million, subsequently rebranding to position the technology as a more holistic email security solution.
What some critics of our position fail to understand is that we are not advocating for the complete elimination of security awareness training programs or technologies for employees. To the contrary, I have written about the benefits of phishing awareness training, but with the context of such education being only a very small piece of the larger email protection puzzle. For platforms like IRONSCALES, human interaction is invaluable because it helps machines to continuously learn and thus identify patterns and threats more efficiently. But phishing awareness training alone - for many reasons - will never be a sufficient solution to email security and phishing mitigation, and solutions providers know it. Thus, the consolidation of the phishing awareness training market has begun.
What’s Next for Phishing Awareness Training Providers?
CISOs, the C-Suite and company Boards are increasingly demanding more holistic email security protections to prevent, detect and remediate complex spear-phishing, APT’s, business email compromise (BEC) and ransomware that can deceive even the most cyber-aware personnel.
Furthermore, in speaking about the oversaturation of incomplete cybersecurity solutions, Katherine Teitler writes in MIS Training Institute that,“an overabundance of individual tools in an IT environment comes with its own set of challenges, and security teams, already short staffed and overworked, are looking for ways to lessen the burden on personnel. Chasing down hundreds of thousands of alerts—including false positives—that result from the organization’s toolset is not a method of creating greater efficiency (however important it may be).”
Such a mandate for security teams has already begun to set an ultimatum to legacy phishing awareness training providers, essentially forcing them to make important evaluations about their services or risk the tribulations of maintaining the status quo.
Here are the three most likely scenarios for phishing awareness training company consolidation in the coming months:
M&A with Secure Email Gateway (SEGs) and other security vendors -SEG providers also find themselves in a precarious position as today’s phishing attacks, in particularly the proliferation of BEC and ransomware, can easily bypass signature-based and server-level safeguards. Akin to the Proofpoint acquisition of Wombat security, look for other SEGs to try and enhance their offerings with phishing awareness training features as a means to expand their market share, enhance capabilities for existing customers and to differentiate from competitors. Even with such M&A activity, however, many SEGs will continue to fail as holistic email security solutions as they are too reliant on rules and signatures to detect attacks, and do nothing to address automatic remediation when time is of the essence.
Automatic Integrations with SEG Technology -One of the primary pitfalls of phishing awareness training is that it only addresses detection, while remaining incapable of “talking to” other technologies. In other words, phishing awareness training offers no options for employees to begin prevention or remediation once a malicious email is identified. Instead, employees are limited to reporting threats to SOC teams, which typically have a backlog of suspicious messages that could take days, weeks or months to address. To extend their businesses’ validity, look for some of the more prominent phishing awareness training companies to develop or acquire automation and orchestration capabilities and other actionable security measures that make their products more attractive as comprehensive solutions.
The pond becomes too crowded -Phishing awareness training companies that fail to adapt through either M&A or integration partnerships are destined to diminish. There is simply a rapidly vanishing appetite for point solutions that make vague claims about risk reduction, while the facts reveal that phishing attacks are as successful as ever despite millions having been invested in phishing education. Most enterprises will continue to mandate phishing awareness training for employees, but such education will come from a few big players within each market vertical and as part of a broader email security strategy and not through a point solution that demands hours of module training after module training with marginal ROI at best.
Advanced Phishing Threat Protection with IRONSCALESIRONSCALES is the first and only phishing threat protection platform complete suite of anti-phishing modules to solve each of the major phishing problems of today’s threat landscape. Our modules provide security at the mailbox-level, which enables our platform to detect malicious messages that many SEGs cannot see. Our phishing awareness training module, IronSchool, is hyper-personalized and gamified to maximize retention among employees who have more on their minds than acting as the first line of phishing defenders. Most importantly, IronSchool constantly talks to our entire suite of machine-learning anti-phishing modules, helping our machines get smarter about attacks, faster.
See how our platform stacks up against the competition here: https://ironscales.com/compare-email-gateway-solutions/