According to nearly every study conducted over the last decade, social engineering is involved in the vast majority of cyber attacks. The figures range from about 30% to 90% of all hacking and malware attacks. There is no other root exploitation cause that organizations can focus on mitigating that would decrease cybersecurity risk more.
No matter how good your policies and technical defenses are, some amount of social engineering will end up reaching your end users. End users must be taught how to recognize signs of social engineering, how to mitigate the attacks, and how to appropriately report so the threats can be better mitigated and tracked.
Despite this fact, many organizations do not do any security awareness training (SAT), and a large percentage of organizations that do SAT only hold one SAT session a year, often solely to meet a compliance obligation.
One SAT session a year is not enough.
What We Recommend
KnowBe4’s data shows that providing SAT only once a year has almost no impact on the chances of employees being successfully socially engineered. There is not a significant decrease in risk until training and social engineering are done at least once a quarter, and there are further significant drops in risk as training and simulated phishing tests are done at least once a month. The best organizations do training at least once a month and simulated phishing tests at least once a week.
KnowBe4 recommends that longer cybersecurity training (15 minutes to 60 minutes) be done when an employee is hired and at least annually thereafter. Then at least once a month, shorter training sessions (3 minutes to 5 minutes long) are conducted along with simulated phishing tests to reinforce the lessons learned in training. Employees failing the simulated phishing tests should be immediately told what social engineering indicators they should have recognized in the failed phishing test and given additional training for each failure.
If an organization wants the best chance of being broadly successful against social engineering, it needs to aggressively do it. SAT needs to be promoted by senior leadership to employees as something they personally care about along with a variety of other messages over varying channels (example below).
SAT content should be frequently (i.e., “Train like a marketer”) and varied. Different people learn in different ways. Content should be a combination of emails, branding, slogans, newsletters, videos, quizzes and games. There should be serious content, humorous content and redundant content.
A proper, aggressive SAT program takes top-to-bottom commitment. It does not necessarily take more resources or money. Most of these recommendations can be pushed through automated campaigns using KnowBe4’s services with a minimum of ongoing human involvement. Once kicked off, the self-driving campaign will handle the rest. The only thing that is needed that KnowBe4 cannot provide is senior management ownership and interest.
All organizations need to not only conduct cybersecurity training for their employees, but conduct aggressive, frequent SAT. Anything less raises your cybersecurity risk. Many organizations that conducted SAT half-heartedly, only learned the hard way that infrequent, half-hearted training is not enough.
If social engineering is the biggest cybersecurity threat, and it is, should it not be treated and mitigated as such? Make sure your organization takes SAT seriously and does the appropriate training to significantly reduce risk.
Other Related Resources:
The ModStore Preview includes:
