It should not be a surprise, but 95 percent of breaches come through phishing attacks. Nothing more than a simple lure email lands in one of your users inboxes, they click it, and everything unravels from there.
Fortunately, regardless of organizational size, security awareness training is one of the most vital defense mechanisms against these attacks. However, not all programs are created equal, and the training approach and the frequency on an annual basis has a drastic impact on organizational security and related levels of risk.
To get a better understanding of how security awareness training impacts the amount and effectiveness of users reporting suspicious emails we spoke to our Vice President, Stacy Shelly, and Security Training Manager, Dane Boyd.
Learning From Reported Emails
Many programs and phishing simulations are nothing more than a library of potential scenarios; however, potential and reality are not the same thing. As your users report emails, you are also gaining real-world examples of the phishing attacks either broadly going after your organization or even highly targeted spear phishing campaigns. In turn, you can use these real-world attacks as simulated phish to test your users. If they fail? Adjust your security awareness training program and push the failed users through a point-of-failure series.
Increased Volume of Reported Emails
As users progress through security awareness training programs they are more likely to interact with and report more attacks. For most programs, they typically only have one or two touch points throughout the year, which means there will initially be an increase in reports during these times, and quickly peter as they begin to forget their training. This is one particular reason standard training programs are ineffective and inefficient, because after only a single day they will have forgotten 60 percent of the new material. With microlearnings and more touch points, users will retain in the information and be better at detecting or thwarting organizational attacks.
Short, Focused, and Frequent
How many training programs have you gone through that consist of long, boring, drawn-out videos or modules that contain numerous key points that you are supposed to use until a year later when you do it all over again? Probably the majority of them. Now think back on how much of that information you really retain and if you’d still get a perfect score on the follow up skills test. That perfect score will certainly be down, and that is because traditional training programs are not designed for adults, nor are they designed for you to actually retain information. With a short, focused, and frequent training program users will both retain the information and increase the number of reported suspicious emails they receive.