Security Awareness Trainings - DIY or automate?
According to Verizon's Data Breach Investigation Report for 2022, the human element continues to drive
breaches, with 82% of breaches involving either use of stolen credentials and phishing, or sometimes employee misuse or human errors.
Social engineering techniques such as phishing are the most cost effective way for attackers to penetrate organizations' networks and applications, so it's no wonder phishing attacks are at record highs.
On the other hand, technology such as e-mail filtering is not perfect and we all know it will fail sometimes, especially factoring in the rate at which attackers are innovating and finding new ways to trick employees.
As people continue to play a very large role in incidents and breaches alike, it's surprising that Security Awareness Training (SAT) initiatives are still an afterthought in most IT departments. Why is that so?
The traditional way of running SAT initiatives is to manually deliver trainings in a do-it-yourself (DIY) fashion. This means delivering and recording training sessions with video conferencing tools or in-person. However, as attack patterns and new phishing techniques appear, many organizations find trainings need to be constantly updated and refreshed to reflect that. Yet burdening employees with long or repeating training sessions is simply not an option.
Furthermore, as new employees join the company, it is critical that these new arrivals are getting the proper training.
And so, to have at least some impact, running such trainings becomes soon a very time intensive and costly effort for both the trainers and the trainees. Not many organizations will find the resources (including time) to continuously run the trainings. The outcome: SAT is either abandoned or altogether ineffective.
This perhaps explains why most IT departments will prefer technology solutions over trainings, in the hope e-mail filtering and other security tooling will do its job.
In fact, SAT trainings can also be a technology solution: they can be supported by SAT software integrated into the daily employee routine. Solutions from vendors such as Proofpoint offer various functionality that automates the training delivery and ultimately improves the employees' capacity to withstand social engineering attacks. For ex.:
Pre-produced training sessions in various languages delivered in a UI that tracks user attendance together with built-in reporting.
Provide training in short, regular intervals: security teams have limited time to train users, and they also compete with people’s tasks and shortened attention spans. Delivering bite-sized training that users can take in regular intervals not only makes it easier for users to fit into their daily lives, but also reinforces concepts so people don’t forget what they’ve learned over time.
Deliver phishing "simulations" to employees and track click and interaction rates, while also using the opportunity to reinforce positive behavior through teachable moments.
Provide clear reporting and metrics: to ensure that your security awareness program is successful, security teams must get a baseline regularly to help ensure users are changing their behavior and are indeed acting as a strong line of defense.
Make it easy for users to report malicious or suspicious messages via the existing applications such as Outlook.