Security Awareness Month: Arctic Wolf Global Survey Shows Users Are Not Properly Prepared to Stop Cyber Attacks

Share :

For many cybersecurity professionals, October’s annual “cybersecurity awareness month” is met with scorn and ire, or mocked on social media for likes and hearts.

Meanwhile they forget that, outside the small percentage of humanity that exist in our cybersecurity bubble, there are an enormous number of people that can and do benefit from the additional outreach, engagement, and focus that Cybersecurity Awareness Month brings. Not least the spotlight that it shines on security awareness training delivered as part of an organization’s security strategy.

Last month, we asked more than 400 cybersecurity decision makers how their security teams spend their time, and how much of that time is dedicated to increasing the security-savviness of their user base.

Employees Are the Most Vulnerable Part of the Attack Surface

“Users as the weakest link” is not a new concept but when 46% of security decision makers identify employees and employee identity as their most vulnerable assets, we need to ask: how often are you strengthening their resilience?

We found that more than 40% of companies only provide security awareness training once a year, and a handful of mid-size organizations were honest enough to admit that they do not do any end-user security training whatsoever. I sure hope that those companies were amongst the overwhelming majority of responders that ranked training and awareness top of the list for investment priority in the next twelve months; ahead of cloud security, endpoint security, and data backup.

For many organizations, security awareness and training remains an either-or proposition.

We generally find that companies spend a considerable amount of time trying to figure out where to start. Should you start by assessing your employees with unannounced simulations and phishing tests? Unfortunately, these tools largely exist to confirm that yes, congratulations, you can trick your own end-users.

Tricking is not training.

Phishing simulations are not suitable for implementing or measuring standalone security awareness. They are best used as a tool to reinforce what your employees are learning through your structured awareness training content and syllabus.

In our experience, there is little to suggest that starting with either measurement and benchmarks, or training, is better than the other. In fact, it is far more important to understand that in order to successfully engage with your users, you must eventually do both.

Our survey showed that almost 50% of organizations with under 3,000 employees are currently focusing on one or the other, driven by the fact that these awareness training and phishing simulation capabilities are largely sold independently from each other – another obvious indication that cybersecurity has an operations problem.

A combination of phishing simulations and training content


Training content only


Phishing simulations only


We don’t have a training program



Employees are not being properly prepared, only 8% of companies engage their employees more than once a month.

Very few people, myself included, look forward to traditional security awareness training, but the hard truth is that we all need more training engagement, not less.  Hermann Ebbinghaus, a German psychologist who pioneered research into how people learn and remember, documented that humans forget 80% of new learning within four weeks unless they are frequently reengaged.



Only during employee onboarding


Once a year


Once a quarter


Once a month


More than once a month



The math doesn’t add up to a secure organization when people are forgetting faster than they are learning. Throwing good money after bad awareness programs is not going to change employee behavior or foster a culture of security so before you blame your users as the weakest link or as unteachable, take a look in the mirror and ask could my program be better?

Financial loss due to cyberattacks and security awareness also hits close to home.

As IT and security professionals we see the dark side of the internet every day and we carry this knowledge home with us knowing that our friends and family are also vulnerable to cyberattacks, especially those older than 65.

While there plenty of savvy seniors out there, its well documented that the majority are susceptible to the many types of social engineering attacks. 69% of the security professionals we spoke to have at least one friend or family member over the age of 65 that have experienced financial loss due to a social engineering attack, and a full 10% know four or more that suffered such a loss.

Vishing / phone scams


Fake virus alert on computer




Smishing / texting



Stay tuned for additional blogs digging deeper into other findings from this data set.

And experience the security awareness journey with a start to finish guided tour. Learn about on-boarding, interact with real lessons and phishing simulations, and travel to the future to see the outcomes of your awareness program with our concierge experience.

Picture of Ian McShane

Ian McShane

Ian McShane has over 20 years experience in cybersecurity and operational IT. As a former Gartner analyst, Ian has advised the largest and fastest growing technology companies in the world as well as tens of thousands of organizations world-wide. He is well known as a trusted advisor and popular commentator in our industry, and prior to joining Arctic Wolf Ian has spent time at Symantec, Gartner, Endgame, Elastic, and CrowdStrike.
Share :
Table of Contents
Subscribe to our Monthly Newsletter