One of the most devastating things that can happen to a business is a cyber attack, but business executives are not confident employees have had sufficient security training, according to a CybeReady report released today, “The State of Security Awareness Training,” which found 75% of execs to believe the most likely catalyst to a cyber attack is phishing.

CybeReady’s report is based on findings from the Osterman Research white paper, “The ROI of Security Awareness Training.” Phishing attacks topped the list of concerns for decision makers with nearly 75% of executives citing phishing emails as the most significant threat. Those executives regard training as a better way to deal with this threat, but approximately 60% of users receive training less than once a quarter, meaning organizations are not being adequately trained, even with current solutions.

The most relevant finding of the report is that, “Learning by doing is the most effective principle in adult learning,” said Shlomi Gian, CEO of CybeReady. “As adults, we do change behavior when we make a mistake and that’s the best way to get our attention.”

SEE: 10 tips for new cybersecurity pros (free PDF) (TechRepublic)

Security awareness training is designed to bolster users’ ability to recognize threats, such as phishing attempts, unusual requests that claim to be from the company’s CEO, malicious advertising on web pages and more, threats designed to make users vulnerable to hacking, and subsequently wreak havoc within an organization.

The report highlights executive concerns with phishing, business email compromise (BEC) and the unsatisfactory results, despite an increase in investment and effort. The study revealed that 58% of decision makers view awareness training as superior to technology solutions when dealing with phishing and awareness training budgets are quickly increasing, faster than security budgets.

Security awareness training should be a key element of any organization’s security posture. However, there is currently a gap in the awareness training market which needs to be filled with more effective solutions,” Michael Osterman, founder of Osterman Research said.

It is imperative that employees be well trained, and know to scrutinize emails before opening, not to click on random social-media links, or how to check a web page by first looking for potential clues regarding validity, before visiting the site.

A better awareness program should include continuous, data-driven training with adaptive and customized capabilities, because the research revealed that despite employees receiving additional training minutes, most awareness training programs failed to demonstrate change in employee behavior towards phishing attacks.

“After failing a phishing simulation, employees spend approximately 30 seconds to understand what they did wrong,” Gian said. “An effective training program should run continuously, be focused and memorable.

The report is another piece of evidence that existing programs do not address this need. A more effective training program does not mean more dollars or training time, but rather a training program that engages employees without taxing security teams.

“Organizations worldwide are realizing the need to invest in employee training and deploy different security awareness training solutions with the hope of mitigating the risk of data breaches,” Gian said. “The problem is that many organizations settle for dated phishing simulation solutions that train employees randomly and require manual effort to operate. The outcome is disappointing, employee behavior doesn’t change and information security teams remain powerless and frustrated in the face of successful phishing attacks.

Effective training should not become an IT and financial burden, but be done autonomously, via data science driven methodology that offers each employee a customized, continuous training every single month and significantly changes employee behavior, hence mitigates organizational risk of cyber-attacks.

“Just like the right technology,” Osterman said, “such as firewalls or endpoint detection and response solutions, can protect an organization‘s data and financial assets from theft or destruction, so can the right employee training.”

The report was based on a survey in May and June 2019 during which 230 respondents participated from organizations with a median of 1,006 employees.


Image: Getty Images/iStockphoto