惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
News | PayPal Newsroom
Security Archives - TechRepublic
Security Archives - TechRepublic
Hacker News: Ask HN
Hacker News: Ask HN
H
Hacker News: Front Page
Apple Machine Learning Research
Apple Machine Learning Research
TaoSecurity Blog
TaoSecurity Blog
Help Net Security
Help Net Security
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
V
V2EX
Hugging Face - Blog
Hugging Face - Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
人人都是产品经理
人人都是产品经理
博客园 - 三生石上(FineUI控件)
Security Latest
Security Latest
Cloudbric
Cloudbric
WordPress大学
WordPress大学
S
SegmentFault 最新的问题
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Know Your Adversary
Know Your Adversary
A
Arctic Wolf
L
LangChain Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
The GitHub Blog
The GitHub Blog
P
Proofpoint News Feed
W
WeLiveSecurity
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
M
MIT News - Artificial intelligence
Google DeepMind News
Google DeepMind News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
The Cloudflare Blog
小众软件
小众软件
NISL@THU
NISL@THU
云风的 BLOG
云风的 BLOG
P
Privacy & Cybersecurity Law Blog
S
Security @ Cisco Blogs
博客园 - 【当耐特】
I
InfoQ
Vercel News
Vercel News
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
P
Proofpoint News Feed
O
OpenAI News
Google DeepMind News
Google DeepMind News
N
News and Events Feed by Topic
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
K
Kaspersky official blog
T
Threat Research - Cisco Blogs
量子位
宝玉的分享
宝玉的分享

Discover

Five billion-dollar companies in two months... the past and the future Shadow AI agents – when the problem isn’t human Cyber Insurance for Small Business: When Getting Hacked Stops Everything Anthropic Mythos: The model, the myth and the mundane​ Your developers work for cyber gangs The four shifts reshaping Microsoft 365 security and resilience FIIG Fined: Federal Court orders $2.5M penalty for cyber security failures Australian Organisations Must Manage Supplier Risk to Strengthen Cyber Defence How Omri Hurwitz Became Cybersecurity’s Most Dominant PR Firm How to Remove Personal Info From the Internet? Australia’s New Boardroom Baseline: 5 New ASD and AICD Security Priorities Heidi Cuthbert - Chief Executive Grafa Marco Delgado - 365mesh continues to lead the AI space by pioneering cutting-edge technologies that redefine what’s possible across industries.
Your staff will click: why cyber security must be engineered, not trained
Tim Redhead, dotSec · 2026-03-17 · via Discover

Phishing click rates in Australia have grown 140 per cent in 12 months. Training alone will not fix the problem. The answer lies in engineering controls that make the click irrelevant.

Your staff will click: why cyber security must be engineered, not trained

Every organisation with a compliance obligation has invested in cyber security awareness training. Quarterly modules, lunchroom posters, simulated phishing campaigns. The logic is straightforward: teach people to spot the threat, and they will not click.

The data tells a different story. According to the Netskope Threat Labs Report for Australia (August 2025), the rate of Australian workers clicking on phishing links grew by 140 per cent in the preceding 12 months, from 0.5 per cent to 1.2 per cent of all users per month. In a firm of 200 staff, that translates to roughly two successful compromises every month. The Verizon 2024 Data Breach Investigations Report puts the median time from opening a phishing email to entering credentials at under 60 seconds: 21 seconds to click, 28 seconds to hand over the keys.

For practitioners advising regulated entities, those numbers should prompt a direct question: if training is the primary control, and click rates are rising, what is going wrong?

The phishing quality problem

It’s become a cliché: AI has materially changed the economics of phishing. And to some extent it’s true, but it’s not the whole story. A 2024 study by Heiding et al. at the Harvard Kennedy School found that fully AI-automated spear phishing emails achieved a 54 per cent click-through rate, compared with 12 per cent for traditional human-written templates. The AI-generated messages were grammatically correct, contextually tailored, and raised fewer of the red flags that awareness training teaches people to look for. The implication is that the observable cues training programmes rely on, broken grammar, suspicious sender addresses, generic greetings, are disappearing from the threat landscape.

But here is the uncomfortable part: As we can see just from the two screen shots in this article, organisations do not need to face AI-crafted attacks to be compromised. In practice, users still click on emails with broken grammar, mismatched sender fields, and credential harvesting pages hosted on obviously suspicious domains. The problem is not solely one of sophistication. It is one of volume, fatigue, and the basic psychology of how people process information under time pressure.

Why training cannot solve the problem alone

Modern employees process hundreds of signals per day across email, messaging platforms, and collaboration tools. Cognitive economy, the brain’s tendency to conserve effort by relying on heuristics rather than deliberate analysis, means that when an email triggers urgency or authority (“Action Required: Overdue Invoice”, “HR: Salary Update”), the emotional response overrides the analytical one. The amygdala fires before the frontal cortex catches up.

Training can improve awareness. It cannot reprogram human neurology. A car manufacturer does not train drivers never to crash; it installs airbags. The same principle applies here.

The cloud does not solve this

A common objection is that cloud-hosted environments shift this risk to the provider. This misunderstands the shared responsibility model. SaaS providers guarantee infrastructure availability within defined limits. They do not guarantee that a compromised account will not be used to encrypt files, exfiltrate data, or delete backups. Industry data indicates that the average downtime following a ransomware attack is now 24 days, much of it attributable to the practical difficulty of restoring large volumes of data through cloud APIs.

Engineering the controls that training cannot provide

If users will click, and the evidence says they will, then the question for boards and compliance teams is whether the environment is engineered to contain the consequences.

Two controls are particularly relevant. Secure web gateways inspect and filter all outbound traffic in real time, blocking connections to newly registered domains, known phishing infrastructure, and pages hosting credential harvesting kits. When a user clicks a malicious link, they see a block page rather than a login form. The mistake is contained before it causes harm.

Phishing-resistant authentication, using FIDO2 security keys or Windows Hello for Business, addresses the scenario where a gateway misses the threat and the user reaches a fake login page. These technologies bind the authentication response to the domain the user is actually visiting. If the user is on a spoofed site, the cryptographic handshake fails. There is no password transmitted over the wire, and no session token for an attacker to capture, even if the user actively cooperates with the phishing page.

Of course, logging and monitoring, and incident detection, containment and response are also key, but we’ve written volumes about those controls in the past, so we won’t dwell on that further here.

The regulatory dimension

Many of the controls ASIC itemised in the FIIG proceedings (things like MFA, patch management, vulnerability scanning, tested incident response plans, continuous security event monitoring) are the kinds of controls that will reduce the risks associated with a successful phishing attack.

ASIC’s 2026 key issues outlook lists cyber security and operational resilience as explicit enforcement priorities. For APRA-regulated entities, CPS 230 adds a further layer of obligation. The direction of travel is clear: there is an increasing need to be able to present evidence of implemented, maintained, and monitored controls, not just policies and training records.

The practical question

The question is not whether staff will click. They will. The question is whether, when they do, the environment is engineered so that the click does not matter. For any organisation holding sensitive client data, the ability to answer that question with documented evidence is rapidly becoming a baseline regulatory expectation.


Written by: Tim Redhead

Tim Redhead is the founder of dotSec, an Australian cyber security consultancy that has been helping organisations to prioritise, implement, manage and monitor cyber security controls for over 25 years. Further information and recommendation regarding phishing risk is available at dotsec.com.