Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Tim Sadler
Tim Sadler
Connect Directly
E-Mail vvv

Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?

Consider four factors and behaviors that impact a particular employee's risk, and how security training should take them into account.

Companies are spending significant resources trying to reduce security risk among employees. And they spend billions each year on training, yet major data breaches continue to make headlines, and human error remains the leading cause of a breach. Where's the disconnect?

Related Content:

6 Free Cybersecurity Training and Awareness Courses

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Can I Test the Security of My Home-Office Employees' Routers?

One major problem is that companies haven't adapted their security training as quickly as cybercriminals have evolved their attack methods. Cybercriminals increasingly target specific employees based on real-time factors like tenure, department, and location to make their scams more believable. To safeguard against these threats, security training must be as tailored and sophisticated as attack methods. 

There are a number of factors and behaviors that affect a particular employee's risk. Here are four of them, and how security training should take them into account.

Department and Job Function
Cybercriminals craft convincing scams by tailoring them based on an employee's department and role. They comb platforms like LinkedIn and company websites to find these details.

Security training should be tailored by job function and provide employees with real-world examples of the scams most likely to target them. For example, the CFO and finance department might be targeted by more business email compromise attacks like wire transfer fraud, and they should be trained on them accordingly. 

Human error also differs by department. For example, sales teams often have access to large swaths of personal information. Train these teams on how to avoid data loss risks, like sending documents or attachments to their personal emails.

Individualized training allows companies to prioritize training for employees with access to sensitive data, such as customer Social Security numbers and financial information, and for the departments that are most often targeted. For this reason, information on employees' roles and access should be automatically updated.

Employee Tenure
New employees are often specifically targeted by hackers, and social media makes this easy. Tessian found that 93% of US respondents post about a new job on social media. 

Because new employees are less familiar with colleagues and company security protocols, they are often less able to identify abnormal requests. Cybercriminals know this and take advantage of it. For example, they'll pose as an IT team member or customer service rep asking for login credentials to set up software or account permissions. 

Security training and tactics should focus on where new employees' vulnerabilities lie so they know what to look for. A careful review of security guidelines and best practices should be integrated into the onboarding process early on. 

Remote or In-Office Work
Security was a major challenge for many companies during the transition to remote work. Now they will face new hurdles with a complex shift to hybrid work. It's highly likely that cybercriminals will continue to target remote employees and take advantage of any uncertainty caused by the hybrid workplace.

Distraction is an important risk factor here. Over half (57%) of employees say they feel more distracted when working from home, while 47% cited distraction as the top reason for falling for a phishing scam. People tend to make more mistakes, like clicking a link without verifying an email sender, during these situations. It's also more difficult to verify a legitimate request from a colleague when you're not in the same location.

Employees should be trained on the specific security risks unique to working from home, in an office, or in a hybrid environment. 

Risk of Human Error
Security training often focuses only on risks like phishing scams that aim to trick employees. But simple human mistakes also lead to data breaches — for example, when an employee sends sensitive information to the wrong email recipient. The most effective tools will flag this behavior in real time as an employee is about to make a poor decision. Humans learn best in context, so training is best delivered in-the-moment rather than in lengthy modules that happen once per quarter.

Training has an important opportunity to make employees aware not only of general security risks, but also improve their individual behaviors over time. Do they download large amounts of sensitive data when they only need to access a small portion? Do they have a history of falling for phishing scams? Security reminders should be tailored to past behavior and delivered consistently. 

This is not about shaming or punishing individual employees. The goal is to arm them with specific, relevant knowledge based on their own workplace habits. 

Better for Employees, Better for Organizations
Tailored training is a win-win for both organizations and their employees. Instead of sitting through long, boring training sessions that interrupt productivity, employees' time can be spent only on the most relevant information. Training becomes more engaging and more memorable. Meanwhile, organizations save resources by making training more effective and efficient. The ultimate goal is to create a wider security culture that leaves the organization better protected overall. 

Cybercriminals are consistently refining their techniques to trick employees, while workers are put in charge of more and more data as companies digitally transform. Security techniques should, similarly, continually incorporate new methods and technologies. By analyzing unique risk factors and making security training both individualized and automated, security leaders can protect employees without disrupting their work.

Tim is the Chief Executive Officer and co-founder of human layer security company Tessian. After a career in investment banking, Tim and his co-founders started Tessian in 2013, creating a cybersecurity solution that uses machine learning to protect people from risks on email ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-02-03
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be triggered by an unauthenticated attacker in the default configuration; however, the vulnerability discoverer reports that "exploiting thi...
PUBLISHED: 2023-02-03
sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct buffer size. This is unrelated to CWE-676. It may write beyond the bounds of the destination buffer when attempting to write a padded, thousands-separated string representation of ...
PUBLISHED: 2023-02-03
An issue in NoMachine before v8.2.3 allows attackers to execute arbitrary commands via a crafted .nxs file.
PUBLISHED: 2023-02-03
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are...
PUBLISHED: 2023-02-03
All versions prior to Delta Electronic’s CNCSoft version 1.01.34 (running ScreenEditor versions 1.01.5 and prior) are vulnerable to a stack-based buffer overflow, which could allow an attacker to remotely execute arbitrary code.