6 Reasons Security Awareness Programs Go Wrong
While plenty of progress has been made on the training front, there's still some work ahead in getting the word out and doing so effectively.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltc24176d452284d2f/64f0d56903fe3b04698b43ce/Slide1CoverArt.jpg?width=700&auto=webp&quality=80&disable=upscale)
Good news on the security awareness training front: Wombat Security reports that 95% of companies they surveyed now train end users on how to identify and avoid phishing attacks, up from 86% in 2014.
Even more good news: The training also has had an impact. Roughly 54% of security pros said they have been able to quantify reductions in phishing susceptibility based on training activities, according to Wombat's "2018 State of the Phish" report.
"There's been an increase in interest over the past year," says Gretel Egan, brand communications manager for Wombat Security, which is a division of Proofpoint. "A few years ago many scoffed at the idea of security awareness training, but now they realize that it can only benefit their company."
Yet there's still some work ahead in getting the word out and doing so effectively. That means understanding where companies go wrong with their security awareness training – and how to correct it.
Security pros often get too bogged down in the details of an ongoing program and don't focus on the big picture, says Wombat Security's Egan. For example, they will tell their CEOs that they still see 15% click rates on phishing lures. First of all, no matter how hard they try, they will never get that number to zero, but the bigger point is the numbers don't mean anything to the chief execs anyway. Better to tell them that by having a security awareness program, they will save money on downtime and reduce security remediation costs. Those are bottom-line impacts that the top person will want to know about.
According to Tom Etheridge, vice president for services at CrowdStrike, companies tend to conduct security awareness training as a checklist item. But their top officials, from people on the executive board and in the C-suite to the financial team and the procurement department, require more specialized training on the cyberthreats facing their companies, he says. These people are high-value targets to cybercriminals because they all have fiduciary responsibilities, and many have access to privileged information on personal machines or company laptops. Security pros need to work with them so they can learn how to use tools such as two-factor authentication and encryption, as well as learn the proper steps they need to take to protect physical assets when they travel internationally.
Security pros typically focus on the specific person who approves their funding for an awareness program. As a result, they tend not to look across the company and speak to management peers, Wombat Security's Egan points out. By getting buy-in from the other managers, security pros can convince them to encourage their direct reports to attend the awareness training. For the rank-and-file, if their supervisors want them to participate, that's usually enough.
Wombat Security's Egan says a lot of companies will just send out some phishing tests and see what happens. But before conducting any tests, it's important they are trained to think through the types of attacks that are important to monitor, how they want to group the users, and what they want to measure.
CrowdStrike's Etheridge says his teams work with companies to run tests, often attempting phishing during specific times to see how a client will perform. Broad-based phishing may work for compliance purposes or to evaluate general awareness of this tactic, he says, but it doesn't always test the true defenses of an organization. He recommends companies run more proactive red team/blue team tests that culminate with explaining to executives how they could respond more efficiently to a security issue.
Wombat Security's Egan says a lot of companies will just send out some phishing tests and see what happens. But before conducting any tests, it's important they are trained to think through the types of attacks that are important to monitor, how they want to group the users, and what they want to measure.
CrowdStrike's Etheridge says his teams work with companies to run tests, often attempting phishing during specific times to see how a client will perform. Broad-based phishing may work for compliance purposes or to evaluate general awareness of this tactic, he says, but it doesn't always test the true defenses of an organization. He recommends companies run more proactive red team/blue team tests that culminate with explaining to executives how they could respond more efficiently to a security issue.
Good news on the security awareness training front: Wombat Security reports that 95% of companies they surveyed now train end users on how to identify and avoid phishing attacks, up from 86% in 2014.
Even more good news: The training also has had an impact. Roughly 54% of security pros said they have been able to quantify reductions in phishing susceptibility based on training activities, according to Wombat's "2018 State of the Phish" report.
"There's been an increase in interest over the past year," says Gretel Egan, brand communications manager for Wombat Security, which is a division of Proofpoint. "A few years ago many scoffed at the idea of security awareness training, but now they realize that it can only benefit their company."
Yet there's still some work ahead in getting the word out and doing so effectively. That means understanding where companies go wrong with their security awareness training – and how to correct it.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024