"By 2024, 25% of midsize enterprises will adopt security awareness training as a managed service, up from less than 5% today.” The analyst firm recommends that organizations should “evaluate security awareness training as a managed service if there is a gap in security awareness expertise on staff, or if other budgetary, financial or program-driven constraints exist.”
-Gartner, Market Guide for Security Awareness Computer-Based Training, Brian Reed, Richard Addiscott, Claude Mandy, 27 July 2020
When it comes to cybersecurity awareness, there’s a familiar expression: “People are your weakest link.”
Usually, it’s said by companies offering security awareness training who want to point the finger at others rather than actually evaluate how effective their own programs are at preparing employees practice good cyber hygiene and protect against social engineering attacks like phishing.
An old-school expression applies in this case. “If you’re pointing a finger at someone, remember there are three more pointing back at you.”
Let’s review some facts: 90 percent of cyberattacks involve social engineering, and people do make mistakes. In fact, 88 percent of breaches involve some form of human error. And that’s where the stat train stops before everyone gets off at the “people are the problem” station.
So, let’s travel further down the track and ask a couple of extra questions.
1. Do people inherently know what they need to watch out for?
No, people aren’t born to naturally spot tricky phishing scams.
Therefore, the logical conclusion is people need to be taught.
2. Have businesses successfully taught their employees what they need to know in order to spot dangers and how to react to them?
No, again. 55 percent of businesses don’t have mandatory security awareness training. And the majority of businesses that do only provide training once a year (or less).
3. Do the current choices for security awareness education effectively prepare people?
Unfortunately, not. How do we know? The Ebbinghaus forgetting curve states that people forget 80 percent of what they learn in less than a month. Yet only 6 percent of businesses train their employees on a monthly basis.
4. Why are current security awareness offering so far off the mark?
They’re often developed and administered by smart, highly technical people who are security experts not educational program experts Since they live security, they find this information to simple to understand and select programs that aren’t geared for employees who aren’t as tech savvy and therefore struggle without proper training and ultimately are failed by the system that was supposed to protect them by educating them.
We need a better approach. One that is:
- Made by security awareness experts to produce content, delivery, and education—all designed with the strategy of adoption, retention, behavior change.
- Made by education program experts so it’s optimized for the way adults learn and fits into their schedule.
- Guided by a coach who understands how to engage employees and get the best results.
That’s why we now offer Arctic Wolf Managed Security Awareness®.
We combined decades of experience helping companies prepare for social engineering attacks and asked ourselves what can be done to give businesses the power to successfully educate their people. We needed an option without requiring IT to perform new work or adding training expertise to its headcount. We created a new approach to security awareness by first going back to the drawing board and studying the best ways adults learn.
We discovered the method that works best for improving people’s understanding, retention and behavior: microlearning. It’s more than simply short content as many would have you believe. It’s a set of techniques and best practices proven to work when employees need to work fast and think slow.
If you want to know more about microlearning and why it is the best strategy for your security awareness program, download our white paper.
For more on managed security awareness, check out:
- What Is Social Engineering and How Can You Stop It?
- 6 Steps to Building a Culture of Security
- Calculating the ROI for Security Awareness Training