In an age when 70% - 90% of successful data breaches involve social engineering (which gets past all other defenses), sufficient training is needed to best reduce human-side cybersecurity risk.
Everyone should be trained in how to recognize social engineering attempts, how to mitigate (i.e., delete, ignore, etc.) them, and how to appropriately report them if in a business scenario.
The amount of time an organization should devote to security awareness training (SAT) is still up for debate. Most cybersecurity regulatory guides have no recommendation or only recommend/require a single SAT session a year. Most cybersecurity experts agree that once a year is not enough.
At KnowBe4, we recommend a longer SAT training session when employees are hired (say 15-30 minutes), and a similar longer session once a year thereafter. Then, we believe that SAT training should be at least monthly, although shorter in duration (say three to five minutes). Simulated phishing campaigns should be conducted at least once a month, although the organizations with the lowest social engineering cyber risk conduct phishing tests at least weekly. Recipients “failing” a simulated phishing test should be given more training.
We have data to show that the more frequently training and simulated phishing testing are done, the lower the risk that an employee will click on a phishing email.
Note: We see some evidence that simulated phishing can be an even stronger teaching tool than regular cybersecurity training alone.
Continuous Cybersecurity Training
There has also been a new trending term in the last few years known as continuous cybersecurity training. I am not sure when or where it first originated, perhaps some cybersecurity training firm decades ago can claim first use, but it is possible that the term is increasingly being used to describe the human element within the also trending zero trust architectures, which often discuss continuous authentication and continuous monitoring.
The idea is that doing something continuously is more likely to be accurate and reduce risk than doing something once. For example, almost all of today’s authentication involves a user (or device, service, etc.) being checked for authentication only once, at the first attempted login, and if successful then, never done again (at least for that session). It is equivalent to someone coming into a bank building, being checked and allowed in, and then never asked to re-substantiate their reason for being anywhere in the bank forevermore. Continuous authentication, re-performed on the user during all their actions within a system is likely to be more accurate than one-time authentication.
In that same vein, continuous cybersecurity training is gaining steam. This hit home recently when in CISA's latest cybersecurity warning regarding a Chinese nation-state threat called Volt Typhoon, they recommend "continuous cybersecurity training" (see image excerpt below).
It is the second recommendation under ACTIONS FOR LEADERS.
Although it may not be the first time that CISA (and the other related “Five Eyes” organizations, such as the NSA) have recommended continuous cybersecurity training, it is the first we are aware of. Either way, we applaud CISA’s recommendation and use of continuous cybersecurity training.
CISA is likely recommending all types of cybersecurity training, of which, SAT, is only one type. Other types of cybersecurity training include teaching people how to correctly deploy, configure, and operate cybersecurity hardware and software defenses. It also includes teaching people the basic security tenets, such as least privilege and defense-in-depth. It, too, must include training people in how to recognize, mitigate, and correctly report social engineering attacks.
This is because all successful social engineering has already bypassed every other possible defense put in its way. Everything else failed and the threat ended up at the end-user. The mere fact that social engineering is involved in 70% -90% of today’s successful data breaches, despite every other defense put in its way to prevent it from getting to an end-user, demonstrates the need for security awareness training.
It is proven that people who are taught something more frequently will better remember that training. We are still working on figuring out the best-recommended training and phishing frequencies for all organizations, individuals, groups, and scenarios (they are likely to be different). But we can say that in light of contrary data, more training is better than less training. And we certainly believe that thinking about cybersecurity training as something that is continuously done as a way of life and business is likely to be closer to the final answer when all the data is in.
We are using Artificial Intelligence Defense Agents to better figure out that part of the equation. We have been using AI for over six years to help better defend our customers against social engineering attacks. We already know that simulated phishing campaigns selected by our AIDA perform better to educate users than campaigns picked by human admins. Our AIDA agents are soon going to be picking the exact phishing subjects, messages, and training to send to individual users, so they get the education they need to best help reduce human-based cybersecurity risk. Just enough. Without large gaps of time. Continuously as needed.
It reminds me of how we train our children to cross the street. We hold their hands when they are toddlers, warn them to stay out of busy streets, and teach them to look left, right, left, before they step off the curb to go across the street to the other side. We do this for years, until we are sure they will always do it every time by themselves. And most adults, to this day, when crossing a busy street, will hear their parents’ mantra of “look both ways” before crossing a street. And they teach their children and grandchildren the same when it is time to do so.
We never stop teaching and thinking about real-world safety. It should be the same in the digital world.
Here's how it works:
