For many cybersecurity professionals, October’s annual “cybersecurity awareness month” is met with scorn and ire, or mocked on social media for likes and hearts.
Meanwhile they forget that, outside the small percentage of humanity that exist in our cybersecurity bubble, there are an enormous number of people that can and do benefit from the additional outreach, engagement, and focus that Cybersecurity Awareness Month brings. Not least the spotlight that it shines on security awareness training delivered as part of an organization’s security strategy.
Last month, we asked more than 400 cybersecurity decision makers how their security teams spend their time, and how much of that time is dedicated to increasing the security-savviness of their user base.
Employees Are the Most Vulnerable Part of the Attack Surface
“Users as the weakest link” is not a new concept but when 46% of security decision makers identify employees and employee identity as their most vulnerable assets, we need to ask: how often are you strengthening their resilience?
We found that more than 40% of companies only provide security awareness training once a year, and a handful of mid-size organizations were honest enough to admit that they do not do any end-user security training whatsoever. I sure hope that those companies were amongst the overwhelming majority of responders that ranked training and awareness top of the list for investment priority in the next twelve months; ahead of cloud security, endpoint security, and data backup.
For many organizations, security awareness and training remains an either-or proposition.
We generally find that companies spend a considerable amount of time trying to figure out where to start. Should you start by assessing your employees with unannounced simulations and phishing tests? Unfortunately, these tools largely exist to confirm that yes, congratulations, you can trick your own end-users.
Tricking is not training.
So much security awareness “training” is punishment, it’s no wonder people dislike and keep smashing the “next” button to get that compliance box ticked ASAP.
Engage users, don’t enrage users. https://t.co/nQWbkhie7F
— Ian McShane (@ianmcshane) September 25, 2021
Phishing simulations are not suitable for implementing or measuring standalone security awareness. They are best used as a tool to reinforce what your employees are learning through your structured awareness training content and syllabus.
In our experience, there is little to suggest that starting with either measurement and benchmarks, or training, is better than the other. In fact, it is far more important to understand that in order to successfully engage with your users, you must eventually do both.
Our survey showed that almost 50% of organizations with under 3,000 employees are currently focusing on one or the other, driven by the fact that these awareness training and phishing simulation capabilities are largely sold independently from each other – another obvious indication that cybersecurity has an operations problem.
|
A combination of phishing simulations and training content |
47% |
|
Training content only |
31% |
|
Phishing simulations only |
13% |
|
We don’t have a training program |
3% |
Employees are not being properly prepared, only 8% of companies engage their employees more than once a month.
Very few people, myself included, look forward to traditional security awareness training, but the hard truth is that we all need more training engagement, not less. Hermann Ebbinghaus, a German psychologist who pioneered research into how people learn and remember, documented that humans forget 80% of new learning within four weeks unless they are frequently reengaged.
|
Never |
1% |
|
Only during employee onboarding |
16% |
|
Once a year |
24% |
|
Once a quarter |
35% |
|
Once a month |
16% |
|
More than once a month |
8% |
The math doesn’t add up to a secure organization when people are forgetting faster than they are learning. Throwing good money after bad awareness programs is not going to change employee behavior or foster a culture of security so before you blame your users as the weakest link or as unteachable, take a look in the mirror and ask could my program be better?
Financial loss due to cyberattacks and security awareness also hits close to home.
As IT and security professionals we see the dark side of the internet every day and we carry this knowledge home with us knowing that our friends and family are also vulnerable to cyberattacks, especially those older than 65.
While there plenty of savvy seniors out there, its well documented that the majority are susceptible to the many types of social engineering attacks. 69% of the security professionals we spoke to have at least one friend or family member over the age of 65 that have experienced financial loss due to a social engineering attack, and a full 10% know four or more that suffered such a loss.
|
Vishing / phone scams |
52% |
|
Fake virus alert on computer |
50% |
|
Phishing |
46% |
|
Smishing / texting |
41% |
Stay tuned for additional blogs digging deeper into other findings from this data set.
And experience the security awareness journey with a start to finish guided tour. Learn about on-boarding, interact with real lessons and phishing simulations, and travel to the future to see the outcomes of your awareness program with our concierge experience.
