Is Your Security Awareness Training Program Broken?

users are the weak link in IT Security

Steve Ragan over at CSO Magazine wrote:

"A new study on user risk shows that employers are willingly conducting user awareness training, but only half of them follow-up with additional tests to gauge such training's effectiveness. 

"As network defenses grow stronger, and the gaps within those various layers of protection shrink, criminals are looking towards the soft targets, including employees, contractors, and customers, in order to launch an attack. Such knowledge isn't a secret, this is why user awareness training exists; it helps mitigate the risk associated with soft target attacks, including phishing and social engineering. 

According to the 2013 Verizon Data Breach Investigations Report, 29 percent of the attacks referenced by Verizon could be traced back to social tactics, such as phone calls, email, and social media (e.g. Facebook, LinkedIn, or Twitter). This type of data is often what drives awareness programs, and why companies spend money in order to teach employees how to spot Phishing scams and how to limit their exposure online.

However, teaching without testing opens a rather large gap in the overall usefulness of such programs. In a recent study published by Rapid7, based on responses from IT professionals representing more than 550 organizations, it was revealed that 66 percent of those firms conduct user awareness training, but only 33 percent of them actually follow that training with tests to measure effectiveness.

So in Rapid7's survey, the real story is that 50 percent of those surveyed admitted to having broken awareness programs. Going back to Verizon's data, Phishing accounted for at least 22 percent of all the reported incidents documented in the report. At the same time, the research points out that even the most targeted and malicious attacks an organization faces often rely on relatively simple techniques such as this to get started.

When it comes to making a dent in socially-based attacks, the organization needs to have awareness programs that teach and test, alongside common technical controls, such as email filtering and endpoint protections."

And that is exactly why we built KnowBe4 with its Kevin Mitnick Security Awareness Training. We train and test, test, test the whole year through.


Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews