More organizations find security awareness training is becoming a vital security tool

‘Human defense networks’ invaluable to companies hoping to control cyber attacks, reduce risk

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

If you’ve been a part of the cor­po­rate work force in the past decade, the words “secu­ri­ty aware­ness train­ing” like­ly evoke feel­ings of bore­dom and wast­ed time.

Ed note_PhishLabs_John LaCourAnd for good rea­son. You prob­a­bly had to sit through hours of train­ing designed for the low­est com­mon denom­i­na­tor. You would com­plete the train­ing, get your check­mark for the year, and for­get about it for the next 364 days.

Cor­po­rate secu­ri­ty aware­ness train­ing is right up there in the same cat­e­go­ry as all the oth­er cor­po­rate train­ing pro­grams employ­ees have to take in order to keep HR and reg­u­la­tors hap­py. And it does a good job at that. But what it doesn’t do very well is actu­al­ly make orga­ni­za­tions more secure. Espe­cial­ly when it comes to reduc­ing the risk posed by phish­ing attacks, which are, by far, the most preva­lent and suc­cess­ful method of cyber attack.

For­tu­nate­ly, this hasn’t gone unno­ticed by the cyber­se­cu­ri­ty com­mu­ni­ty over the years. The inept­ness of tra­di­tion­al secu­ri­ty aware­ness train­ing has been appar­ent for quite some time. Most of the major breach­es hap­pened to orga­ni­za­tions that already were doing secu­ri­ty aware­ness train­ing. Yet, most of the breach­es start­ed with an employ­ee falling for a well-craft­ed phish­ing email.

Employ­ees part of the solution

This has led many secu­ri­ty lead­ers to shift their approach by using sim­u­lat­ed phish­ing attacks to teach employ­ees how to avoid falling vic­tim. As part of these pro­grams, fake phish­ing emails are sent out to com­pa­ny employ­ees. Those who fail receive instruc­tion on how to spot the attacks in the future.

By con­duct­ing phish­ing sim­u­la­tion pro­grams, many orga­ni­za­tions have been able to sig­nif­i­cant­ly reduce their employ­ees’ sus­cep­ti­bil­i­ty to attacks—and there­fore the organization’s over­all risk. Upward of a third of an organization’s work force falls for phish­ing attacks when these ini­tia­tives first start. But as the sim­u­la­tions and train­ing progress, the rate plum­mets. With­in a year, some orga­ni­za­tions are able to reduce the fail­ure rate to below 10 percent.

This is great progress, but not enough. There’s a lim­it to how low the fail­ure rate can go. We’re talk­ing about human beings who make mis­takes. No mat­ter how awe­some the train­ing, the risk of employ­ees falling for a phish­ing attack remains present. To account for this, anoth­er shift is underway.

Ear­ly report­ing helps iden­ti­fy threats

That shift focus­es not just on keep­ing employ­ees from falling for phish, but also on dri­ving them to report sus­pi­cious emails.

The orga­ni­za­tions doing this today find that the push to cre­ate a “human defense net­work” pro­vides much bet­ter vis­i­bil­i­ty into the phish­ing attacks that make it into user inbox­es. It gives them an oppor­tu­ni­ty to respond that they didn’t have before, when they wouldn’t find out until the ini­tial com­pro­mis­es turned into much more dis­rup­tive and cost­ly secu­ri­ty inci­dents. Now they can detect threats ear­li­er and take action before the dam­age is done.

So if you’ve been frus­trat­ed by cor­po­rate secu­ri­ty train­ing in the past, there’s good news and bad. The bad news is that those train­ing ses­sions aren’t going away. But the good news is that many com­pa­nies are already on the path toward pro­vid­ing more impact­ful (and less painful) train­ing that actu­al­ly reduces secu­ri­ty risk.

More sto­ries relat­ed to com­pa­ny security:|
As threats mul­ti­ply, cyber insur­ance and tech secu­ri­ty indus­tries start to merge
Man­aged secu­ri­ty ser­vices help SMBs take aim at secu­ri­ty threats
G Data moves to meet the need for man­aged secu­ri­ty services