The Rising Tide of Cyber Awareness Training in Today’s Enterprise

Here’s a stark reality: no matter how good your employees are at their jobs they still usually pose your biggest security risk. Human error ranks even higher for cyber risk than software flaws and vulnerabilities. So high, in fact, that they’re a contributing factor in more than 90% of breaches.

Properly trained, alert and aware, your people can serve as an integral part of your security program and your last line of defense. Improperly trained or not trained at all? Well….

In the latest Mimecast State of Email Security Report, which includes comprehensive data from a global survey of more than 1,000 IT-decision makers, we uncovered reasons for optimism about the uptake of awareness training for employees.  

Our survey found that 98% of organizations offer cybersecurity awareness training to their employees, with 25% saying they offer training on an ongoing (or, more than once monthly) basis, up from 11% a year ago. It is our strongly held belief that constant, persistent training is one of the linchpins to the deployment of a successful program.

However, 51% of organizations are conducting their awareness training to spot cyberattacks quarterly or even less frequently than that. And, just under 10% conduct training only once at induction for employees and never again, on an ad-hoc basis after a security breach, or don’t do any training at all.

Clearly, the industry is starting to come to grips with the need for persistent training, but we are still in the early stages of the adoption curve.

Attacks are worsening. Training is vital.

The State of Email Security report highlighted several startling findings around email security: 94% experienced phishing attacks in the previous 12 months, while 73% suffered a direct loss (data, financial or customer) because of an impersonation/business email compromise attack. In addition, business-disrupting ransomware attacks doubled year-over-year. Remember, a phishing attack is basically a malicious actor leveraging your employees’ mistakes. So, this equates to 73% of direct losses stemming directly from human error.

The consistent increases in breaches or losses proves that security awareness, and email security in particular, needs to be a priority. You need your employees to stop, think and verify that the action they are about to take is not letting the bad folks in.

It’s not exclusively about email though. While a vast majority of cyberattacks come through email, security training should cover other areas exploited by attackers and thieves as well. There are also simple, avoidable security mistakes that can compromise your organization without there being a specific attack. Good training generally helps employees be more thoughtful and aware of their actions, saving trouble and time for everyone.

In a nutshell, you and your teams are best served with a robust training program which covers a broad array of security topics, concentrated heavily on teaching employees how to detect and avoid email borne attacks.

So, how do you make security training stick? Your awareness training must be frequent, engaging, and updated to evolve with cybercriminals’ latest techniques. It should be supplemented with phishing simulations. And, a good program will have a mechanism in place to allow you to identify higher risk employees and provide them additional or enhanced training.

The simple truth: More & Better Training = Less Risk. Note that better does not mean shorter. Better means more engaging. The best training is laser-focused, short and to the point and delivered frequently.

*IBM survey conducted by the Ponemon Institute, 2018