According to nearly every study over the last decade, social engineering is involved in the vast majority of cyber-attacks. The figures range from about 30% to 90% of all hacking and malware attacks. There is no other root exploitation cause that firms can focus on mitigating that would decrease cybersecurity risk more. No matter how good your policies and technical defences are, some amount of social engineering will end up reaching your employees.
Employees must be taught how to recognise signs of social engineering, how to mitigate the attacks, and how to appropriately report so the threats can be better mitigated and tracked. Despite this, many organisations do not do any Security Awareness Training (SAT), and a large percentage of organisations that do SAT only hold one session a year, often solely to meet a compliance obligation. One training session a year is not enough.
How much training is recommended?
KnowBe4’s data shows that providing SAT only once a year has almost no impact on the chances of employees being socially engineered. There is not a significant decrease in risk until training and social engineering are done at least once a quarter, and there are further drops in risk as training and simulated phishing tests are done at least once a month.
Organisations which achieve the best results when it comes to Security Awareness Training conduct training at least once a month and simulated phishing tests at least once a week.
In addition, KnowBe4 recommends that longer cybersecurity training (15 minutes to 60 minutes) be done when an employee is hired and at least annually thereafter. Then at least once a month, shorter training sessions (3 minutes to 5 minutes long) should be conducted along with simulated phishing tests to reinforce the lessons learned in training.
Employees failing the simulated phishing tests should be immediately told what social engineering indicators they should have recognised in the failed phishing test and given additional training for each failure. In addition, if an organisation wants the best chance of being broadly successful against social engineering, it needs to aggressively do it.
Security Awareness Training needs to be promoted by senior leadership to employees as something they care about along with a variety of other messages over varying channels.
What content works best?
SAT content should be done frequently and be varied. Different people learn in different ways. Content should be a combination of emails, branding, slogans, newsletters, videos, quizzes and games. There should be serious content, humorous content and redundant content.
A proper, aggressive SAT program takes top-to-bottom commitment. It does not necessarily take more resources or money. Most of these recommendations can be pushed through automated campaigns using KnowBe4’s services with a minimum of ongoing human involvement. Once kicked off, the self-driving campaign will handle the rest. The only thing that is needed that KnowBe4 cannot provide is senior management ownership and interest.
Learn on the go
With a large majority of the world using smartphones, mobile training revolutionises the way people learn. KnowBe4 has released the KnowBe4 Mobile Learner App enabling employees to complete their security awareness and compliance training conveniently from their tablets or smartphones. This will help employees to associate security with their personal devices, keeping it top of mind all the time rather than only when they are at work on their pcs.
In addition, all organisations across the globe need to not only conduct cybersecurity training for their employees, but ‘little and often’ is the right approach to get the best results. Anything less raises your cybersecurity risk. Many organisations that conducted SAT half-heartedly, only learned the hard way that infrequent, half-hearted training is not enough.
If social engineering is the biggest threat, and it is, should it not be treated as such? Make sure your firm takes SAT seriously and does the appropriate training to reduce risk.