"Get Beyond Security Awareness Training" Does Not Mean Forgetting About It



blog.knowbe4.comhubfssocial-suggested-imagesblog.knowbe4.comhubfsSocial Image RepositoryEvangelist Blog Social GraphicsEvangelists-Roger Grimes-1.KnowBe4 is a big believer in focusing on decreasing human risk as the best way to decrease cybersecurity risk in most environments. 

A big part of decreasing human risk is using effective security awareness training (SAT). You do not want to just focus on SAT, but SAT is a big part of decreasing human risk.

To be sure, your human risk management projects need to be broadly focused on more than SAT. We agree. That is why we discuss changing your culture and have products such email security, Compliance Plus and 1:1 Security Coach.

At the same time, SAT is one of your best and biggest tools, especially until the 100% perfectly defending technical tools are here. Remember, social engineering is involved in 70% - 90% of all successful hacking attacks and that is after the hackers made it past all involved technical tools.

We have seen people say that SAT does not work at all. That is not true; we have the data to support that it does indeed work. Organizations that do effective SAT create people who recognize and click less on phishing attempts, both on simulated phishing attempts and in preventing real-world breaches.  

We have seen people say you only need to use SAT until we finally get the 100% effective technical security defenses we have been promised for decades. How good are technical defenses against social engineering today?

Seventy to ninety percent of all successful hacking involves social engineering that has gotten past all technical defenses. Even if one day someone figures out how to 100% protect email, which we are not even close to yet, we still have to protect the web, SMS, social media, and any other communication media channel. Today, email phishing is the biggest problem, but it is not the only problem.

There are lots of social engineering scam scenarios where there are no current existing other defenses besides SAT. Education is the primary way you help to mitigate the threat. They include:

In May 2023, Barracuda Networks reported successful compromises. That is huge for a single root cause!

Another good example of training being the primary defense is password reuse. Every computer security person knows that they should never share the same password across unrelated sites and services. It’s too risky. When passwords are shared, if the password gets compromised at one location, it can be more easily used to break into other sites using the same password.

It’s especially risky to a business for an employee to reuse their employee account password on their personal sites. An attacker could learn about someone’s password on, say, Facebook or a cat-lover’s website and then attempt to use it on the user’s corporate account.

Outside training, there is no way to prevent unauthorized password reuse (if your company uses passwords). There is no password tool that will scan your network, scan all your employees' personal accounts, and look for matches. Nope, your own defense (besides implementing MFA at work) is educating employees not to share passwords between their work and professional accounts.

Technical defenses alone are going to have a very hard time stopping these types of attacks. Instead, you need to make people aware of these types of attacks, and educate them how to spot, mitigate and appropriately report them.

While training should not be the only thing you are doing, it is a crucial part of any human risk management defense. So, until that perfect technical defense comes around, do training, do lots of training. 

Our current problem is not that we do too much training; it is that we do not do enough.


Request A Demo: Security Awareness Training

products-KB4SAT6-2-1New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!

Request a Demo!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/kmsat-security-awareness-training-demo



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews