Security Awareness Training

    The Good, the Bad, and the Ugly of Security Awareness

    Companies say they’re giving employees security awareness training, but cyberattackers keep breaking in anyway. Does your training program need a refresh?

    by Dr. Matthew Canham

    Key Points

    • The good news: 97% of survey respondents report that their organization provides security awareness training to their employees. 
    • The bad news: Nearly 100% report phishing attacks and over 90% report business email compromise attempts.
    • The ugly news: Cybercriminals are becoming more sophisticated in their tactics.
    • It’s time for the security community to level up security awareness training.


    This year’s State of Email Security (SOES) report from Mimecast provides insights that can help increase employee online security, which is now more important than ever due to the migration by many organizations to remote work. While it’s no surprise that exploiting human error remains the attack vector of choice for malicious actors, this year’s survey details some of the good, the bad, and the ugly of employees’ persistent susceptibility, attackers’ growing sophistication, and organizations’ ongoing efforts to turn the tide against cybercrime. 

    The Good

    Let’s start with the good. Virtually all SOES survey respondents (97%) reported that their organization provides security awareness training to their workers. Nearly all (96%) reported that they either have or are in the process of developing a strategy for their organization’s cyber resilience. Over a third (36%) of respondents whose companies have such a strategy in place said they provide cybersecurity awareness training on a regular, ongoing basis. Now that we’ve covered the good, let’s discuss the rest.

    The Bad

    Virtually every company surveyed was the target of a phishing attack, with most respondents reporting that these are occurring more frequently. Although phishing is the most common email-based threat, more than nine out of 10 respondents acknowledged that their organization has also been subjected to email data leaks and business email compromise attacks. Consistent with other research regarding non-email threats,[1] respondents mentioned the following as the worst security mistakes made by their organization’s employees:

    • Inadvertent data leaks (83%), with collaboration tools among the chief culprits.
    • Poor password hygiene (82%).
    • Oversharing on social media (80%).
    • Shadow IT (80%).

    When asked what they expected to be their biggest security challenge in the coming year, 40% cited employee naivete. This may seem bad, but now let’s look at the ugly. 

    The Ugly

    Nearly three out of four respondents stated that cyberthreats are continuing to rise, with the majority reporting that these attacks are becoming increasingly sophisticated. Lateral phishing attacks are one example of this increasing sophistication. These phishing attacks initially seek to compromise one employee account, then leverage that account to launch phishing attacks against key employees from “inside” the organization.[2] 

    In a typical lateral phishing scenario, an attacker might compromise the account of a maintenance worker who has few account privileges and receives little security awareness training. The attacker would then use this compromised account to send a malicious email to a human resources (HR) account. Once an HR account is compromised, the attacker can easily create a plausible pretext to contact nearly anyone else within the organization, including the ultimate victim who might be an accounts payable specialist empowered to transfer money or an IT administrator holding the keys to company databases.

    Survey respondents reported an increase in attacks spreading internally among their users, carrying infected attachments (44%) and malicious URLS (40%). Overall, more than eight out of 10 SOES participants reported that their organization was the victim of such an attack in the past year. This is fully 10% higher than the previous year and well above the levels observed since the annual SOES study began.

    Leveling Up Security Training

    In the film Batman Begins, Police Commissioner Gordon informs Batman that a new level of criminal (the Joker) has emerged in response to the appearance of Batman and that a sort of arms race has begun. In the real world, employees are learning to avoid the tired old scams (a rich uncle you never heard of would like to bequeath $1 billion to you), and in response, like the Joker, cybercriminals are upping their game.

    This increasing level of sophistication is clear to the more than 80% of respondents experiencing instances of lateral phishing. A more advanced technique closely related to lateral phishing, known as “clone phishing”, copies emails previously sent by a legitimate account user and “resends” those copied emails (containing malware) to other employees in the contacts list.2 Clone phishing is incredibly powerful because it leverages established contacts using consistent linguistic styling to attack the victim. 

    As cyberattacks keep evolving, is your organization still using the same security awareness training from last year? If so, you may be doing more harm than good. Threats and tactics change, and training needs to be updated to remain relevant and counter these changes. Continuously sending the same tired phishing simulations can backfire by lulling employees into a false sense of security. Consider sending difficult emails to employees who are ready for the challenge. Ask yourself: How many employees within your organization have been trained to question an odd email coming from an HR email account?

    In another unhelpful trend, SOES respondents reported that group trainings with IT staff have declined by 8% since the pandemic-related switch to remote work. Granted, lunch-and-learn sessions for groups of employees can be challenging for IT staff to lead in the age of Zoom meetings. However, group training sessions bring value beyond information dissemination. Research has found that employees are often intimidated by meeting one-on-one with information security staff they do not have a personal relationship with, and that they are reluctant to bring concerns to them out of fear of “looking stupid”.[3]

    The Bottom Line

    Mimecast research indicates that more than 90% of security breaches involve some degree of human error. Numerous research studies have also found that employees who receive consistent cybersecurity awareness training are five times more likely to spot and avoid clicking on malicious links. This is a good first step, but training needs to keep up with current threats to be effective. Be creative when developing your training and think like the adversary.

    [1]Confronting Information Security’s Elephant,” Springer

    [2]Every ROSE Has Its Thorn,” Black Hat

    [3] Canham, M. & Dawkins, S. (paper in preparation)


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top