Phishing Simulations vs Secure Email Gateways

Are you wondering whether you should invest in phishing simulation and security awareness training or a secure email gateway? It’s a valid question to ask and they both perform key functions.

Take for example, in each day an employee may have 20 phishing emails sent to them… If a secure email gateway blocked 19 of those emails but one got through, would your average employee be able to spot the phish? Let’s take the inverse… If that same employee received 20 phishing emails but they underwent regular phishing simulation and security awareness trainings, would they be resilient enough to spot 20 all phishing emails? It’s a difficult question to answer so let’s take a deeper look into the function each solution fulfills.

What is a Secure Email Gateway?

A Secure Email Gateway is an appliance that monitors inbound and outbound emails at the perimeter of an organisation. They typically flag any unwanted or malicious emails and either block or quarantine emails deemed as having a low reputation.

What is Phishing Simulation?

Phishing Simulation is exactly what it sounds like. It’s when an organisation attempts to phish it’s own employees, however instead of performing a malicious action when an employee falls for a phish, they instead attempt to educate that employee on how to detect phishing emails in the future.

This is where Security Awareness Training comes into the equation. The best time to train an employee is directly after they’ve fallen for a phish as that’s when they’re most open to learn. This learning is best delivered as a 60-90 education video with explainer artifacts and a quiz if necessary.

If you can only get one, which should you choose?

Fortunately, modern collaboration platforms such as Gmail and Exchange Online (Office 365) come with in-built spam and malware filtering functionality. In fact, Exchange Online Protection is an industry leader when it comes to spam and malware filtering and these capabilities come at no additional cost. Procurement of an additional Secure Email Gateway capability such as those provided by Proofpoint, Mimecast, Sophos, Trellix and so on are typically done on a case-by-case basis for large businesses where specific requirements need to be met.

When we consider that a baseline level of protection is already present, the need for an additional capability overtop is typically diluted. If we go back to the example provided at the beginning of this blog, where a Secure Email Gateway would block 19 out of 20 phishing emails, what if we consider that 18 of those emails would’ve already been blocked by the native protection capabilities provided by your collaboration platform. We’re then in a position where it’s a case of a user receiving 1 or 2 phishing emails a day.

With this position in mind, we then have to go back to the resiliency of your average employee. Would you feel safer with employees who receive 1 phishing email a day but aren’t trained on how to spot a phish or an employee who receives 2 phishing emails a day but know how to spot the phish. When we’re left with numbers like these, the need and benefits of phishing simulations and security awareness training becomes much more evident.

Wrapping up

CanIPhish are a world leader in conducting phishing simulation and security awareness trainings. In fact we take great pride in our modernised approach to conducting these activities. You don’t need to interact with sales people, don’t need a trial and don’t need a credit card. You can simply sign-up through our self-service platform and upgrade or downgrade your monthly or annual subscription as you see fit.

If this is something you’re after, please sign-up for an account to get started. Otherwise, if you have any questions, please feel free to contact the team at CanIPhish.