There is a clear link between security awareness training and resilience against cyber threats. A focus on the human element remains the most effective safeguard.
Strong organizational security cultures mitigate human risk, according to KnowBe4’s Phishing by Industry Benchmarking report, which analyzed more than 54 million simulated phishing tests from more than 11.9 million users in 55,675 organizations across 19 industries.
Organizations committing to regular security awareness training and testing saw their Phish-prone Percentage (PPP) drop from an initial 34% to 19% within 90 days and to just 5% after a year of continuous training and testing.
The survey also found in testing across all industries shows that without security awareness training, more than a third (34%) of employees are likely to click on malicious links or comply with fraudulent requests—up more than one percent from last year’s survey.
Erich Kron, a security awareness advocate at KnowBe4, is always shocked by the fact that cybercrime continues to grow. After conversations with thousands of customers over the course of his career, most of them discovered that not only did their PPP drop with education, but also their incidents related to actual social engineering attempts have dropped significantly.
“People have great success by focusing on reporting phishing and using that information as threat intelligence,” Kron said. “Educated staff tend not to report spam emails but they do report the much more malicious and dangerous phishing attacks, making it far easier to find the real dangers without the noise.”
According to the report, the healthcare, pharmaceutical, and hospitality industries are particularly vulnerable to phishing attacks.
Kron noted these industries tend to work on strict timelines, increasing pressure on employees to work quickly. That can lead to careless mistakes as workers inattentively sift through their email without paying much attention to potential red flags.
“In these industries, it’s important to concentrate on teaching employees to quickly identify potential phishing attacks and to provide a mechanism to report to a team that can research the reported messages more thoroughly,” Kron said. This allows the employee to get back to work without having to stop and spend time thoroughly examining the email.
Kron noted that there are free tools that can be integrated into email clients or browsers to help with this plan. At the very least, organizations should have an easy-to-remember mailbox to which employees can quickly forward suspect emails.
According to the report, one of the key things needed for success with phishing training is a consistent and ongoing education and testing program. “You can’t educate employees once a year and expect to see improvements 12 months later,” Kron said.
Best practices include short, timely training monthly or at least once per quarter and monthly phishing simulation exercises. “This practice helps keep email security at the front of employees’ minds,” Kron said. “Most people would rather see a short 5-minute training once per month, as opposed to a 60-minute training once per year.”
With AI’s rapid adoption as an emerging threat vector, organizations should consider additional cybersecurity measures to mitigate risks associated with AI technologies.
Kron said employees must understand the principles of data privacy when it comes to using AI.
“Every time they upload a document or set of information to be examined by AI, they are potentially placing that information at risk,” Kron said, noting many employees don’t consider this before providing it. With scammers everywhere these days, the skill set learned applies equally to personal protection and to the organization.
Beyond traditional training programs, Kron said the key to developing effective ways to address and reduce human error in cybersecurity requires ensuring educational materials are relevant to users. Making sure people understand where the things they learn can tie into their own protection helps them pay attention and motivates them to retain information more than simply doing it to protect the company. “Often people don’t think about the fact that what they learn from the training designed to protect the organization also protects them in their personal lives,” Kron said.