More organizations find security awareness training is becoming a vital security tool
‘Human defense networks’ invaluable to companies hoping to control cyber attacks, reduce risk
By John LaCour, Special to ThirdCertainty
If you’ve been a part of the corporate work force in the past decade, the words “security awareness training” likely evoke feelings of boredom and wasted time.
And for good reason. You probably had to sit through hours of training designed for the lowest common denominator. You would complete the training, get your checkmark for the year, and forget about it for the next 364 days.
Corporate security awareness training is right up there in the same category as all the other corporate training programs employees have to take in order to keep HR and regulators happy. And it does a good job at that. But what it doesn’t do very well is actually make organizations more secure. Especially when it comes to reducing the risk posed by phishing attacks, which are, by far, the most prevalent and successful method of cyber attack.
Fortunately, this hasn’t gone unnoticed by the cybersecurity community over the years. The ineptness of traditional security awareness training has been apparent for quite some time. Most of the major breaches happened to organizations that already were doing security awareness training. Yet, most of the breaches started with an employee falling for a well-crafted phishing email.
Employees part of the solution
This has led many security leaders to shift their approach by using simulated phishing attacks to teach employees how to avoid falling victim. As part of these programs, fake phishing emails are sent out to company employees. Those who fail receive instruction on how to spot the attacks in the future.
By conducting phishing simulation programs, many organizations have been able to significantly reduce their employees’ susceptibility to attacks—and therefore the organization’s overall risk. Upward of a third of an organization’s work force falls for phishing attacks when these initiatives first start. But as the simulations and training progress, the rate plummets. Within a year, some organizations are able to reduce the failure rate to below 10 percent.
This is great progress, but not enough. There’s a limit to how low the failure rate can go. We’re talking about human beings who make mistakes. No matter how awesome the training, the risk of employees falling for a phishing attack remains present. To account for this, another shift is underway.
Early reporting helps identify threats
That shift focuses not just on keeping employees from falling for phish, but also on driving them to report suspicious emails.
The organizations doing this today find that the push to create a “human defense network” provides much better visibility into the phishing attacks that make it into user inboxes. It gives them an opportunity to respond that they didn’t have before, when they wouldn’t find out until the initial compromises turned into much more disruptive and costly security incidents. Now they can detect threats earlier and take action before the damage is done.
So if you’ve been frustrated by corporate security training in the past, there’s good news and bad. The bad news is that those training sessions aren’t going away. But the good news is that many companies are already on the path toward providing more impactful (and less painful) training that actually reduces security risk.
More stories related to company security:|
As threats multiply, cyber insurance and tech security industries start to merge
Managed security services help SMBs take aim at security threats
G Data moves to meet the need for managed security services