Bob Adams

by Bob Adams

Product Marketing Manager - Security

Posted Aug 15, 2018

Get the facts about the lack of training around cybersecurity.

Your organization has been, and will be, attacked. The sophistication of these attacks has changed over time and will continue to evolve. Many organizations have increased their focus on prevention, but where should one start?

As security professionals, we want to prevent cyberattacks, but how do we avoid security fatigue? Attackers are, and always will be, more advanced than our users. Beyond prevention, we need detection and response, but is that enough? And when does it become too much?

It’s vital to implement not just security protocols, but the right procedures to ensure you are effectively leveraging your users as part of your security posture, while also not desensitizing them to processes.

Cyber Awareness Training Cannot Be Undervalued

Users need cyber awareness training and it cannot be annually, bi-quarterly, or monthly – it needs to be a continuous activity. However, it’s a fine line between training and checking a box.

For example, forcing your users to take training such as the following will not achieve any actionable results:

“Bill got an email from HR@Gmail.com asking for his Social Security Number. What should Bill do?

Option A: Reply with the information requested.

Option B: Delete the email, open a ticket with IT security and never share personal information with anyone outside the organization.”

In fact, according to new Mimecast global research conducted by Vanson Bourne:

  • 11% of organizations continuously train employees on how to spot cyberattacks.
  • 24% admit to monthly training,
  • 52% perform training only quarterly or once a year.
  • 90% of global organizations have seen the volume of phishing attacks increase or stay the same over the past 12 months.

In addition to prevention, it has now become crucial for organizations to perform regular, and effective, training for their entire user base. While executives and those in finance or positions that handle sensitive data are important, it has become the responsibility of every user to be vigilant against the latest threats. So, how do you do it? How do you protect yourself and your organization?

Taking the Right Approach to Cyber Awareness Training

An organization may implement something like two-factor authentication – yet there are some that create an almost Pavlovian response. Sign into an application, phone dings, click the link to verify. Sign into another application, rinse and repeat.

Creating habits weakens your security. Instead, leverage effective methods of cyber awareness training. Send phishing emails to test your users, and track their results, but make them convincing and engaging. Like the ineffective test question above, testing your users with simplistic or overly obvious phishing test emails will not be effective, nor will forcing them to watch or attend hours long training.

The most effective methodology to train your users, without damaging your security posture, is through the appropriate formula. You can start with these three tips:

  1. Don’t bore your users with difficult or overtly obvious training; find an appropriate middle ground that challenges them.
  2. Track your users results, on both real phishing emails as well as training, and act based on those results.
  3. Be original.

I recently spoke with a director of IT at a conference who explained they have been using a security awareness training software for over a year and it had reduced their user failure by over 30%. However, a user who had never fallen for one of the phishing simulations was their first user to fall for a phishing attack.

The results you achieve are only as effective as the cybersecurity tools being leveraged.

Bob Adams

by Bob Adams

Product Marketing Manager - Security

Posted Aug 15, 2018

You may also like:

5 Steps for Launching an Advanced Security Awareness and Training Init…

  “Ultimately, the security …

  “Ultimately, the security chain is as strong a… Read More >

Margot Carmichael Lester

by Margot Carmichael Lester

Mimecast Contributing Writer

Posted Aug 17, 2017

Mimecast + Ataata: The Coolest Security Solutions on the Block

It's the cybersecurity awareness trainin…

It's the cybersecurity awareness training platform you've be… Read More >

Peter Bauer

by Peter Bauer

CEO and co-founder

Posted Jul 16, 2018

Cyber Awareness Lessons Learned on a Train Ride

Users: here’s how not to handle an…

Users: here’s how not to handle an email security inci… Read More >

Bradley Sing

by Bradley Sing

Technical Consultant

Posted Jul 18, 2018