Today Security and IT decision makers have a wide variety of security issues to manage, with email security at the top of the list. As threat actors evolve their attack methods to target your employees with malware, spear phishing and ransomware, the importance of empowering employees to play a vital role in keeping your organization safe is clear. New research conducted with individuals who manage their organization’s security awareness training program reveals their perceptions of security awareness training and its importance as a technology in dealing with security threats.
Because email is and continues to be the primary communication, collaboration and content-sharing tool in most organizations, email-related threats continue to be a critical security concern. However, the total accuracy rating for Microsoft Office 365 advanced threat protection was just 28%, despite the fact that security solutions in the same test achieved an accuracy rating of 94%. The problem may actually get worse with the growing adoption of Office/Microsoft 365 as the dominant business email platform worldwide. The COVID-19 pandemic and the associated stay-at-home orders have increased concerns about security. For example, 46 percent of decision makers and influencers are “concerned” or “extremely concerned” about hackers exploiting the new work-from-home workforce, which numerous analyses from multiple vendors have determined has already happened.
More staggering is that 95 percent believe that use of email for conventional communications would either increase or remain the same during the crisis, while only five percent believed that email communications would decrease. This makes it clear that email will remain a mainstay of corporate communications during the pandemic, and that in order for employees to remain productive, corporate email systems will need to be operate at a very high level.
With the increased reliance on email for employee-to-employee communication and collaboration, security and compliance suffer. While 64 percent of organizations agree with the notion that they were doing an excellent at job maintaining compliance with their various obligations before the COVID-19 crisis, that level of agreement fell to just 56 percent shortly after the lockdowns began, highlighting the impact the lockdowns have had on organizations’ ability to deal effectively with both.
The progression of security awareness training
Security awareness training should have as its goal moving users from a state of ignorance, where they are largely or completely unaware of threats like phishing attempts to “systemic” change, where security becomes so ingrained in the way they use email and other tools that good security practices become second nature to them. In short, the end result of good security training should be the development of a user mindset akin to “muscle memory”, where good security practices become almost second-nature, as seen below.
Training is perceived to be as important as technology, if not more so
Nearly four in five IT/security decision makers and influencers consider the combination of technology and training to be equally important in dealing with security threats. However, when analyzing the results from those who believe that training or technology is more effective in dealing with these threats, the former gets the nod. Over the next 12 months, both training and technology are expected to increase in their perceived importance, although a slightly larger proportion of those in IT and security will place more emphasis on training.
IT is more enthusiastic about training than are rank-and-file employees
One of the goals of security awareness training is to get employees on-board with the notion that training is useful in helping them to protect corporate data and systems. Ideally, however, the goal should be to move employees from changing their behavior to truly systemic change that results in employees not only changing their behavior but changing their entire mindset so that they want to practice safe computing for personal, as well as professional, reasons. A key reason that many employees are not fully engaged in developing a strong cybersecurity culture may be that their management has not made it clear just how important users are in the security process.
Training increases users’ security savvy
IT and security decision makers and influencers clearly understand that security awareness training provides significant benefits. However, after training these users are perceived to be dramatically more capable than they were before – in the case of phishing emails, for example, the number of users perceived to be “capable” or “very capable” at detecting these threats jumped nearly six-fold, from 11 percent to 64 percent.
Train users with a view toward systemic
Good security awareness training is an essential element in improving any organization’s security defenses because it gives employees the knowledge and skepticism necessary to avoid making mistakes that could lead to security problems like ransomware infections or data breaches. However, if you’re like most companies, your cybersecurity awareness training isn’t working.
In fact, more than 90% of security breaches are caused by human error on the inside, not bad actors on the outside. If your employees aren’t engaged, you’re just wasting time and money – and they’re still forwarding spam emails and clicking phishing links.
Why? We’re sorry to break it to you, but traditional cybersecurity awareness training can be really boring. But it doesn’t have to be.
We’re all human. We all make mistakes. But some mistakes can have a big impact on your business. That’s why you need to know what causes human error when designing your training program. Mimecast’s Awareness Training isn’t anyone’s grandfather’s security training solution. It’s different. By assessing risk in real-time using a broad host of criteria – not just click history, we change user behavior. But don’t just take our word for it. Employees from companies using Mimecast Awareness Training were more than 5x less likely to click malicious links.