Security Awareness Training (SAT) is finally having its day. Here’s why.


Cybersecurity awareness is on the rise as more organizations adopt security awareness training programs. Why the hype? In several recent reports, we break down our findings around why SAT is on the rise—and why companies need it now more than ever.

Employees are discovering cyberattacks the hard way

Recent study by Fortra’s Terranova Security in collaboration with Ipsos revealed employees’ knowledge and interest in learning cyber security best practices.

Anecdotally, there was a high level of knowledge about cyber risks. Unfortunately, much of this knowledge was hard-won. Per the results, 76% of employees in the US, France, the UK, Canada, and Australia reported personally being targeted by a cyberattack or knowing someone who has. Of these, 61% of US respondents report successfully being hit.

These high numbers indicate that the treat is real and we can no longer ignore it. When asked to rate the level of cybersecurity knowledge within their companies, 34% say it’s ‘average to good’. Slightly fewer (30%) estimate their own personal knowledge as highly, and only 20% report the same of their colleagues. Fewer than one in ten would rate overall cybersecurity awareness as ‘excellent.’

“These results emphasize the importance of up-to-date educational training that raises awareness about security,” said Theo Zafirakos, CISO at Terranova Security, in the report. “The survey results show that, although most people are aware of cyber threats and their prevalence across all regions and business sectors, we can assume that the overall level of knowledge is below average.”

But studies show they’d rather learn the easy way

If employees are slow on the security draw, it must be because they lack interest, right? Wrong. The same study, From Data Protection to Cyber Culture, showed that more than three-quarters (79%) are interested in security awareness training, even if their company does not offer it.

When asked how they’d like to learn, survey respondents answered:

  • Phishing simulations (37%)
  • Online courses (37%)
  • Game-based formats (32%)
  • Instructor-led lessons (over 30%)

That’s an incredible amount of motivation among employees for something that, in some cases, does not seem to be all that much of a priority to employers. Incongruously with the employee response, one in four individuals did not believe security awareness training was necessary at all: the US (27%), Canada (27%), and Australia (29%) topping that list.

The good news is that the vast majority of respondents do see a value in security awareness training and are taking the steps to prove it.

Here’s what happens when we put employees to the test

Those steps start with baselining, and that’s exactly what happens when a security awareness program gets underway.

Last year’s Gone Phishing Tournament, which drew participation from over 1.2 million users across different organizations, highlighted the critical need for a culture of cyber awareness within organizations. The tournament revealed that employees’ lack of knowledge about cybersecurity best practices can leave organizations vulnerable to phishing attacks and other threats. 

The results were concerning. In an organization of 10,000 employees, 700 would have clicked on a malicious link, and 308 would have compromised sensitive information. That’s 47% of those who clicked on a phishing link going the extra step of filling out a form on the subsequent page and giving up credentials. Only companies with fewer than 500 employees saw a click-to-form-completion ratio of under 30%.

These statistics are far too high for comfort and should be a wake-up call to any CISO.

Watch: Phishing Benchmarking Global Report Results

The time for Security Awareness Training is now

In large part, results like the ones above (and worse) have been a clarion call to organizations of all sizes to invest in awareness training.

The number of Not for Profit (NPO) organizations with no security awareness program decreased by nearly half since our previous report, plummeting from 60% in 2021 to 33% in 2022. Companies in the Energy, Healthcare, Finance, and public sectors were the most likely to have a dedicated program with both educational resources and phishing simulations, which is an advantageous combination. Sectors with both awareness and phishing simulation programs continue to outperform year after year in the Gone Phishing Tournament by having the lowest click rates. And encouragingly, over half (59%) of IPSOS survey respondents felt responsible in some way for protecting their company in day-to-day assignments.

Seeing the need for a company-wide cybersecurity awareness training program is the first step. Building it out is the second—and whom you choose matters.

Terranova Security: Award-winning security awareness training

Terranova Security has worked to provide best-in-class cybersecurity awareness training for over 20 years, and we know a thing or two. We find that traditional eLearning content formats alone are insufficient to keep employees abreast of the latest cyber threats: Creativity and a culture of continuous reinforcement are required to reach users across multiple digital generations.

To that end, we combine real-world phishing simulations with our security awareness training options to provide industry-leading programs that not only educate but engage. We’ve been recognized as the IT Educational Vendor of the Year, and our training solution ranked No. 1 in the industry for customer satisfaction.

As cyber threats continue to diversify, employees feel the need to know more, and companies need to be prepared to provide it. By partnering with Terranova Security, stakeholders get long-lasting support from industry experts as they build out a culture of security awareness.


About the Author:

Theo Zafirakos is an experienced CISO, trusted cyber security advisor, and expert in security awareness strategy, governance, privacy, and more.

He works with security leaders worldwide to help identify, evaluate, and manage security awareness strategies that align with their organizational objectives. He’s also responsible for internal cyber security policies and awareness initiatives at Terranova Security.

Theo leads the Professional Services team in the implementation and execution of personalized security awareness training campaigns. He also helps organizations assess their security awareness training program’s success with actionable metrics that facilitate long-term optimization and growth.

Before joining Terranova Security, Theo spent 20 years at Canadian National Railway (CN), a leading North American transportation and logistics. In his role as CISO, he was responsible for the information security and governance strategy.

Theo regularly speaks about security awareness and phishing simulation training at in-person and virtual industry events. He lives in Montreal, QC, and enjoys traveling, cooking, board games, and spending time with his family.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.



Source link