Cybersecurity Awareness Month: Time to Level Up Training  

October is Cybersecurity Awareness Month, that time of year when organizations around the world run employee training and education campaigns. As helpful as these yearly rituals can be, cyber experts point out that the security profession needs to think bigger in the face of undiminished email phishing and impersonation attacks. 

A more modern and effective approach to cybersecurity awareness training combines monthly training sessions with just-in-time reminders. Implementing this approach requires a real-time, actionable feedback loop between training activities and email security systems. We call this integrated awareness training, because it draws on the real-world employee behaviors observed by secure email gateways to help you customize individual training efforts and discourage risky decision-making as it occurs.

Integrated Awareness Training Improves Efficacy

Basing cybersecurity risk assessments and responses on how well employees perform in periodic training sessions will never be as effective as grounding risk management in employees’ everyday behaviors. That’s the problem with programs that only score how well users perform during training.

In contrast, integrated awareness training provides the basis for continuous cybersecurity awareness training — today’s gold standard in the security profession. This means capturing an employee’s behavior in the wake of training, analyzing it, and taking immediate steps to remind that individual and protect your organization.

For example, a user engaging with malicious email on any given Monday would appear right away on the training dashboard, prompting the security team to “nudge” that employee with a Slack message suggesting a quick refresher on URL phishing. Or, based on observed employee behaviors, the security team might reset permissions to access certain data or systems.

Integration is making inroads for companies using Mimecast’s secure email gateways in combination with its security awareness training programs. Under these conditions, our analysis has shown employees to be 60% less likely to click on dangerous links (that fortunately have been disarmed by our system’s URL protection techniques), whereas training alone delivered a 20% improvement.

And Mimecast is continuing to deepen the integration of security systems and security awareness training. This feedback loop is growing more robust, as artificial intelligence (AI) capabilities are making email security systems more attuned to user behavior. Already, our systems use AI in threat detection to flag malicious emails that fall outside of normal communications patterns, empowering employee decision-making at the point of risk. Our integrated approach will become farther-reaching, as we exchange more real-world data from our email systems across other point security solutions for endpoints or VPNs, all working together in mesh platforms connected with application programming interfaces (APIs).

What’s the State of Security Awareness Training?

Cybersecurity Awareness Month also presents a good opportunity to check in on how well companies are training their employees on handling email, which cyberattackers use most often to deliver their malware, commit fraud, and otherwise threaten your organization.

Security awareness training ranks as the second most effective mitigation tactic against phishing attacks, close behind multi-factor authentication, according to a recent report we commissioned from Osterman Research. But there’s ample room for improvement, captured in both the Osterman report and in Mimecast’s State of Email Security 2022 (SOES) report. For example:

• Confidence in employee awareness is low. Only 45% of security professionals surveyed are confident their employees are well trained to recognize phishing attempts in emails.
• Employees spread infections internally. Four in 10 respondents said they’ve been hit by an attack in which employees internally shared emails with malicious URLs.
• Passwords are weak. More than eight in 10 cited risks to their organizations from employees’ poor password hygiene.

Companies’ Training Is Improving — Up to a Point

There’s a bit of good news to celebrate this October, with organizations conducting training more frequently. But most still fall short of the continuous training paradigm, according to our SOES report. The breakdown looks like this:

• Continuous: 23% train on an ongoing basis (up from 20%).
• Monthly: 37% conduct training once a month (up from 26% last year).
• Quarterly: 27% do it every quarter (down from 32%).
• Less regularly: For the remaining 15%, training is either annual, upon hiring, ad hoc or non-existent (down from 23%).

And when all is said and done, 80% of security professionals surveyed in the SOES report still said that it was likely to inevitable that their company would suffer a negative business impact from an email-borne attack in 2022. 

Training Tools Continue to Improve

Vendors such as Mimecast continue to improve cybersecurity awareness training tools in other ways, as well:

• More nuanced approaches: Cyber risk scores and analytics enable administrators to customize and contextualize training for their riskiest employees or those in a highly targeted department, such as finance. They can also dial back training for less risky users.
• Customized reporting: Reports can be tailored for key stakeholders and specific needs, including regulatory compliance reporting and industry benchmarking.
• Multi-stage simulations: Templates used for training now go beyond sending a single malicious URL to test employees’ behavior to simulate more sophisticated, multi-stage attacks. Will trainees fill in an online form and fall prey to credential theft?
• Training dashboards: These and other ongoing upgrades are made readily available to administrators using centralized training dashboards.

The Bottom Line

Every year, Cybersecurity Awareness Month prompts a flurry of education efforts and training campaigns. This year, it should inspire the trainers to revisit their strategies and consider integrating secure email gateways with their training platforms for better results. Explore Mimecast’s integrated security awareness training.