Training needs engineering, not hope

Tim Redhead of dotSec wrote the analysis for Cyber Daily on 17 March 2026, arguing engineering-first controls over sole reliance on awareness modules. (cyberdaily.au) Netskope Threat Labs measured a monthly phishing click rate rise from 0.5% to 1.2% (121 clicks per 10,000 users) — a 140% increase year‑on‑year — which the analysis flagged as the data point driving its recommendations. (netskope.com) Verizon’s 2024 DBIR found the median victim clicks a phishing link 21 seconds after opening an email and enters credentials 28 seconds later, and the report also states that 68% of breaches involve a non‑malicious human element. (verizon.com 1) (verizon.com 2) Australian and regulatory guidance cited by the piece treat MFA as foundational — APRA lists multi‑factor authentication among core mitigation strategies and requires at least two authentication elements for effectiveness. (apra.gov.au) Microsoft’s Essential Eight guidance specifically prescribes restricting administrative privileges and using dedicated privileged accounts to limit lateral movement. (learn.microsoft.com) The article pairs that engineering prescription with evidence that training alone is brittle: a large eight‑month study across ~19,500 employees found little reduction in phishing failures after standard awareness programmes, motivating the call for short, scenario‑based microlearning to reinforce behaviors. (cybernews.com) (keepnetlabs.com) Practical controls highlighted for constrained IT teams include enforcing least privilege by removing standing local admin rights and adopting just‑in‑time elevation, plus device‑bound MFA and network segmentation to contain compromised endpoints — tactics mirrored by endpoint guidance and least‑privilege playbooks published by Keeper and others. (keepersecurity.com) (netskope.com)