A recent whitepaper from Osterman research found 3/4 of IT decision-makers cite phishing as the greatest security threat to their organisation.
The study, entitled “The ROI of security awareness training” surveyed 230 companies, from small businesses (50-999 employees) to large organisations (1000+ employees). It found that both small and large organisations had roughly the same percentage cite phishing as the top threat (74% and 75% respectively).
A shift towards focusing on Security Awareness Training (SAT) has begun.
- Budget-growth for SAT between 2018 and 2019 outpaced that of the overall security budget-growth by almost 2% (13.8% vs 12%).
- Employees now spend 5 extra minutes per month studying SAT, an increase of 27.8% over 2018.
- Since 2018, security decision-makers have moved to say that SAT is more effective than advanced security hardware at reducing an organisation’s risk from phishing attacks.
All of this is very positive, however organisations are still spending their hard-earned budgets somewhat inefficiently.
54% of employees still only receive SAT between one and three times per year. This is a far cry from Phishing Tackle’s recommendation of one to two times per month for simulated phishing and SAT. In a previous article, we reported that of the employees receiving only the bare minimum security training, only around 22% of them remember any of it.
Perhaps most concerning was that when employees were asked of their opinion of SAT, 23% cited enthusiastic support, while 24% cited indifference.
This highlights the need for a culture shift towards a security-first mindset, not just with more SAT, but with more explanation as to why the training is crucial to the employee’s cyber-security. The skills learned in effective SAT are filtered down into the personal lives of employees and passed onto family members and friends.
One very positive find within the study was that the chances of a successful malware/ransomware attack were reduced by 90% with regular SAT.
The overall message is very clear, Security Awareness Training remains one of, if not the most cost-effective ways to reduce an organisation’s risk to phishing and other email-borne attacks.
At Phishing Tackle we strive to be the world’s most cost-effective solutions in reducing cyber risk, and we encourage all readers to see just how affordable we are.