We’ve written a lot this past year on employee security awareness training, including how to measure ROI; how it must work in tandem with machine learning technology to maximize effectiveness and, most importantly, why it should only be recognized as a component of the very complex email security puzzle.
Such arguments aside, many organizations - from small businesses to global enterprises - continue to invest heavily in security awareness training, hoping to transform employees into a primary defense against email phishing and other cybersecurity attacks. But, such an endeavor is proving costly. A recent report commissioned by Bromium discovered that large enterprises spend $290,033 per year on phishing awareness training. While the ROI of a quarter million dollar spend on security awareness training is debatable; it’s a relatively small amount considering a single successful phishing attack costs organizations approx. $1.6 million to remediate, according to Cloudmark.
However, the once-overwhelming consensus that security training and awareness programs are invaluable is increasingly up for debate. According to a recent article in The Wall Street Journal, security training and awareness often falls short of its intended purpose because “security training is a big turnoff for employees.” The article goes on to say that:
“Most of the time, all it (security awareness training) does is try to instill fear of clicking on suspicious links or using weak passwords. But research shows that approach doesn’t work. Even with security awareness training, employees are still prone to making simple security mistakes that leave a company vulnerable to damaging hacks.”
Unfortunately, many security awareness training companies ignore such employee sentiment; continuing to mislead organizations as a means to generate business and differentiate their products and services in what has become an oversaturated market. So, what’s the truth about security awareness training programs? Here’s what security awareness training companies don’t want you to know.
Lie #1: Employees must participate in numerous hours of security awareness training for it to be effective
The Facts: While many reporters and analysts explore how to create security awareness training programs that employees “won’t hate,” nobody argues for allocating more time than absolutely necessary. That’s because training adults on cybersecurity is a lot like training children in math or science - more time spent does not always equate to better results. Not to mention, millennials, the largest generation in the workforce, have a shorter attention span than goldfish.
So, what does work best? Experiential learning, using gamified quizzes and interactive sessions in which attacks are simulated, is proven to provide the mental stimulation required to capture attention spans of all generations. Often these simulations can be conducted in 5 minutes or less (nugget training sessions), providing employees with an engaging and memorable experience that is reflective of what they are most likely to witness. If the simulated experiences are executed correctly, employees can learn what they need to know most in a very quick amount of time.
Furthermore, according to proprietary data that IRONSCALES has collected during the last three years, we see that only 10 percent of employees who fail phishing tests actually completed their training when first presented to them. Although most companies don’t have the time, resources or the will to continuously nag people to finish their training, click rates for such “undisciplined” company employees still drop by up to 95 percent.
How? Just knowing that more email phishing tests are imminent prompts employees to heighten their awareness and have more concern. In one experiment we conducted, simply giving an immediate one page indication to employees that fell victim to a phishing test was enough to decrease click rate in 80 percent of future cases. This is a stark contrast to the amount of time security awareness training companies argue is needed.
The Facts: Security awareness training companies would like their prospects to believe that the more content employees consume, the more quickly they can change their behavior and thus reduce risk of human error. This notion is why so many companies now emphasize the volume of their content libraries.
But changing behavior is one of the most difficult human undertakings. In fact, renowned psychologists’ estimate that the average person requires 66 days to almost 300 days to form a new habit. Imagine the backlash of mandating 66 days or more of cybersecurity training? Probably not possible with the attention span deficit we referred to earlier.
Instead of forcing employees to consume a plethora of content, organizations should remain focused on communicating their main security messages and repeating those messages throughout the year. How do we know this approach works? Earlier this year, we chronicled remediated attacks for one year across companies with 5,000 mailboxes each. In Q1 and Q2, the number of reported attacks increased modestly.
But as employees continued to experience more simulations and automated incident response technology and intelligence sharing was introduced, the number of reported attacks skyrocketed in Q3 and Q4. Such an increase in reported attacks had little to nothing to do with content.
The Facts: There is a not so subtle competition taking place between security & awareness training companies to see which company can inflate the amount and importance of training modules the most.
This is especially true for companies with little IP; whose existence as a company is dependent upon organization’s believing that it is of the utmost importance to have hundreds of training modules at their disposal. The truth is, while some modules may be beneficial to maintaining industry or government compliance mandates, they do very little, if anything, to prepare employees to identify and act on cyberattacks. Instead, the oversaturation of modules frequently confuses and frustrates employees who view them as unimportant and even a waste of time. Organizations serious about reducing risk must mute themselves from the background noise of security & awareness training companies who are trying to push their own agenda, and prioritize employee feedback and experiential learning techniques in order to train a truly cyber-aware workforce.
Security awareness and training companies want you to believe that their products and services will make many of your cybersecurity problems go away. But as evident by the continued escalation of successful attacks, that message is simply not true. What is true, however, is that security awareness and training is just a very small part to a complex cybersecurity puzzle, regardless of the time, content and modules that a company attempts to sell you on. Now you know.