FROM THE DESK OF JAMIE LEWIS

Let's start with a hard truth. Your security awareness training is a pacifier. It makes you feel like you're doing something. It places the burden of defending the kingdom squarely on the shoulders of the clerk, the accountant, and the intern. Meanwhile, the castle walls are made of paper, and the drawbridge has a sign that says, *"Please verify your identity by shouting your mother's maiden name."*

We have collectively agreed on a convenient lie. The lie is that social engineering is a "human problem." This lie lets vendors sell more training modules. It lets executives blame "employee error" after a breach. And it lets system designers off the hook.

Phishing can really cost you

The real, pervasive, and existential threat isn't the smooth-talking hacker. It's the morass of flawed, brittle, and user-hostile system design that you've built your entire operation on. You are trusting it with your future.

Why Does Phishing Actually Work?

Conventional wisdom says: *the employee wasn't paying attention. They didn't check the sender's address. They got greedy. They were scared.* This is victim-blaming masquerading as strategy.

The real reason phishing works is that our email systems are designed for convenience, not for inherent verification.

Phishing hacker stealing data

The Anatomy of High-Level Failures

Look at the $100 million loss suffered by Google and Facebook in a coordinated phishing scam. These are two of the most technologically sophisticated companies on the planet. Their employees are among the most aware.

System Breach

Did they fail because of a lack of training? Absolutely not. They failed because their *accounts payable system* had a flaw. The process for changing vendor payment details was vulnerable to a simple forged email. The human approved the request, and the system executed it without a second, out-of-band, hardened verification. The design failed.

Consider the RSA breach. The entry point was an Excel attachment titled "2011 Recruitment Plan." The flaw wasn't that an employee opened a recruitment email—that's their job. The flaw was that the system allowed an external document to execute a zero-day Flash exploit. The design of the workstation, the email filters, and the patch management failed to contain a predictable threat.

The Doggy Door Strategy

We build digital fortresses with complex firewalls and then install a human-sized doggy door right next to the main gate, secured by a latch that asks, *"What's your pet's name?"* The social engineer doesn't hack the firewall; they crawl through the door. And we blame the dog for not barking loud enough.

ATM Machine

The Crucial Shift: Systems First

Stop viewing your employees as the last line of defense. Start viewing them as the first users of a system. When they fail, it is overwhelmingly a system design failure. A well-designed system accounts for human nature—curiosity, haste, trust, and stress. It builds guardrails around them.

Secret Money Code

What does real solution design look like?

1. Eliminate Single Points of Failure: Move beyond "something you know" to mandatory, phishing-resistant multi-factor authentication. Design processes where a single email cannot change payment instructions.

2. Least Privilege by Default: The accountant receiving a phishing email should not have system-level rights to install software. Permissions must be granular, explicit, and designed to contain breaches.

Printing money

3. Build Systems that Assume Breach: Stop hardening the perimeter while leaving the interior soft. Assume the "doggy door" will be used and design the internal environment to neutralize the threat the moment it enters.

Honesty gets you audited. Obfuscation gets you paid. Design keeps you alive.