Security awareness training (SAT) holds a crucial role in protecting businesses from modern threats. A well-designed SAT program not only educates employees but also helps foster a genuine security-conscious culture within the organization.
In this blog, we explore how organizations can level up their basic SAT initiatives and highlight the oversight of compliance-driven training in fostering a genuine security-conscious culture. Ultimately, it's crucial for organizations to pivot towards a tailored approach that not only engages employees but also tackles targeted and sophisticated threats.
Is basic SAT ticking the right boxes?
It’s no secret that SAT is important, which is why 100% of organizations carry out some form of security training. Not only can it educate employees, but ultimately training can reduce the likelihood of a security incident within an organization, minimizing the possibility of reputational, operational, and financial losses.
The desired result for training programs is undoubtedly a security–conscious culture, with employees who can identify sophisticated and targeted phishing attacks, as well as have a thorough understanding of compliance and data loss policies.
However, out–of–the–box training may not always achieve this result.
According to our latest Email Security Risk Report, 88% of Cybersecurity leaders agree that meeting compliance requirements is a primary driver for their SAT programs which begs the question – are programs effective if they are generic and involve a large degree of box ticking?
Almost all Cybersecurity leaders would answer in the negative, with 91% having doubts about the effectiveness of basic SAT programs, concerned that employees simply skip through training because it isn’t relevant to them and therefore don’t engage properly with the materials. But with every organization continuing to roll out some form of training, why are we seeing this shift in confidence?
3 reasons why generic and infrequent SAT isn’t hitting the spot
The consequences of training time gaps
Firstly, training isn't being carried out often enough. To keep information front of mind, it is best to ensure employees are training regularly. However, according to the Email Security Risk Report, only 23% of organizations carry out training weekly, while 36% do it monthly. A staggering 30% only train quarterly, 8% just twice a year, and 3% a mere once a year. If organizations carry out infrequent training, it's no wonder that employees are not retaining the critical knowledge needed to keep organizations secure. Consistency is key in reinforcing security best practices.
The power of personalized training
This year, CEOs have unsurprisingly been the most targeted job role, likely because they hold the most influence, authority, and information within an organization. Therefore, attackers will often spend more time crafting convincing and personalized attacks aimed at CEOs than they would to the masses. The reality of this is that a phishing attack targeting a CEO is likely going to look very different from an attack sent to anyone else in the organization – with much more dire consequences if successful.
This begs the question: will generic training help all employees of varying levels and responsibility recognize the actual attacks that target them?
The short answer is no. Currently, 28% of organizations continue to deliver out-of-the-box training, and 46% offer training that is tailored to the organization as a whole, broadly ensuring all employees will be familiar with the same set of attacks. However, for the best results, training must be tailored to the individual, based on real-life attacks that may land in their inbox. For example, CEOs should be regularly trained on whaling attacks, whereas a mid-level executive or managers should look to be experts on phishing emails that impersonate the C-suite.
Understanding the rise of multi-channel attacks
Email continues to be one of the largest risk factors for cyber activity within organizations, which is why most SAT programs focus heavily on educating employees about email-based attacks.
However, our latest Phishing Threat Trends Report has revealed that multi-channel attacks are on the rise with cybercriminals sending follow-up attacks from a separate channel to email. Currently, Microsoft Teams is the most popular second step, accounting for 30.8% of attacks, followed by Slack (19.2%), and SMS (18.6%).
Below is an example of a multi-channel attack that uses Microsoft Teams as the second step.
Example of a wire fraud phishing email with Egress Defend banners applied and a follow-up attack sent on Microsoft Teams.
In this wire fraud attack, the cybercriminal uses social engineering tactics in the initial email to pressure the target into quickly processing an ‘outstanding’ fraudulent invoice. The tight deadline for payment contained within the initial email, flagging the Microsoft Teams message ‘Urgent’, and language such as ‘ASAP’ are designed to increase this pressure. The delivery of the follow-up message over Teams may also decrease the recipient's suspicion that the request is malicious because it appears to come from a trusted communication platform, fostering a false sense of legitimacy.
Tailored SAT, even if focused purely on email communication, would help a recipient identify this email as suspicious. For example, training could help a member of a finance team to be especially wary of emails and messages that combine urgent language and signal a change in remittance details. If this is the case, the follow-up attack over Teams could ring further alarm bells for the recipient due to the fact the message is tagged as important and uses more pressing language.
The Egress approach and SAT integrations
SAT should be a non-negotiable for any organization, but unfortunately even those who implement regular training, tailored to the individual, and that incorporates the various risk channels, still face two unfortunate realities:
- Although training can be mandatory, employees can’t be forced to fully engage, especially if the training isn’t tailored to their role or department.
- The undeniable fact is many employees are often working on autopilot and may not be on constant alert for threats or unable to recall historic training, especially if an attack uses social engineering tactics designed to elicit a quick action or response.
Therefore, it becomes apparent that basic SAT initiatives can often fall short of the mark if they are too generic, prompting a pressing need for a more sophisticated approach—one that accommodates the intricacies of modern threats.
Egress Defend offers this type of approach, integrating with Microsoft 365 to provide AI-powered behavioral-based detection and real-time teachable moments that continually ‘nudge’ employees into good security behaviors to tangibly reduce risk and augment security awareness at the point of risk.
In addition, Egress' partnership with SAT providers like KnowBe4 enables a powerful, bi-directional solution that reduces human risk by automatically adjusting email policies and enrolling users in specific training based on their individual risk levels. This integration combines KnowBe4's Personal Risk Score with Egress' Human Risk Management, providing actionable intelligence to expedite threat investigations, gauge training effectiveness, and demonstrate ROI.
Discover more about Egress integrations and how they can enhance your organization's security posture.