My First Million is a popular business and technology podcast. In a recent episode, Shaan Puri (@ShaanVP) and Steph Smith (@stephsmithio) of a16z discussed social engineering and the phishing simulation market that grew to try to address it.

There were a few interesting takeaways from hearing Shaan and Steph talk about social engineering and hacking.

👩‍🎓 Social Engineering is not Common Knowledge

At Haekka, we live in a small niche that lies within the world of security. The world we live in is security training, which is sometimes referred to as security awareness, human risk, or phishing. This niche is large in dollars but is specialized.

Living in security training, we tend to assume everybody just knows that social engineering is a major problem and is the cause of most security incidents and data breaches. The MFM podcast discussion of social engineering was a good reminder that social engineering is not a problem most people know about or think about every day like we do.

This has ramifications for how we approach security awareness training. At Haekka, we’ve been beating the drum that the current approaches to security awareness are not effective at building a security mindset. Part of having a security mindset is knowing that social engineering is something you’ll have to defend against. It’s knowing that attacks can come at any time and in any form - email, text, social media, voice, etc. This is knowledge most people do not have and knowledge people do not gain from security awareness vendors.

🐡 The Phishing Market Grew with Social Engineering

One of the comments on the podcast talked about companies that have created a market by offering ways to test employees using fake emails. These phishing simulations were discussed as cheaper than having an employee fall victim to a real phishing attack. It’s true that phishing simulations are cheaper than being the victim of a large data breach.

But, the primary role of phishing simulation is to assess risk. The infrequent nature of phishing simulations means they are not very effective at preventing social engineering attacks. That is not to say they do not have a role. They are just one aspect of an effective social engineering prevention program and their primary value is in assessing the effectiveness of your overall program.

🛠 Phishing Campaigns are NOT Security Awareness

In the discussion on the podcast, there was no mention of training about passwords or updating devices or any other topics typically covered as a part of security awareness training. Phishing, while often bought and sold with security awareness, is not packaged together when non-security people think about it.

‍