Security Awareness Training Doesn’t Work – Here’s How to Fix it.
If done efficiently, security awareness training helps fend off phishing attacks like a shield. Unfortunately, right now it focuses too much on awareness and too little on practice.
We’ve heard the warnings: “don’t use the same password for different services, don’t ignore software updates.” We know the cybersecurity dos and don’ts, yet still, fall victim to phishing attacks. Companies’ security awareness training is often half-hearted and inefficient – but it doesn’t have to be.
There are two main reasons why today’s security awareness training lacks efficiency. First, there aren’t enough practical exercises. The training often consists of voluntary e-learning materials, such as videos, Powerpoint presentations, and interactive exercises. We want to emphasize the importance of tailored simulations that try to mimic real phishing attacks as well as possible. Usually, employees receive four simulated attacks per year, but HoxHunt takes a more prolific approach.
We send up to 40 messages per user, and each attack is personalized based on information about their previous experiences and behavior.
Second, security awareness training currently focuses too much on increasing awareness. Awareness in itself isn’t enough: it has to lead to correct action. In the domain of social engineering many attacks reach their goals no matter how aware their targets are.
Hackers behind phishing attacks aim to tap into people’s emotions. If you generate enough fear or threat, a person will easily do something irrational, like open a shady attachment, even though they know perfectly well they shouldn’t.
Tailored Simulations Help Tackle Real Threats
Once a hacker has gained access to, for example, someone’s inbox, it usually takes approximately 140 days until anyone notices. HoxHunt aims to decrease this number by empowering employees to react to hacking attempts.
In order to succeed at this, we concentrate on four main aspects of security awareness training: attention, emotions, participation, and repetition. How do you get people to actually pay attention to the learning materials? How to engage people as well as possible with practical simulations?
Our training works, because it actually simulates a real phishing attack. It generates a real feeling.
Traditionally, only 3-5% of people report real cyber attacks and the rate of falling victim to an attack is as high as 40%. With continuous engagement we have got the reporting rate to 60-75% as employees are motivated to report real attacks while getting the failure rates to a sustained 2%.
You can’t prevent phishing attacks. That’s a given. With good training, though, you can identify and report them to the proper authorities. In HoxHunt’s case, employees’ previous data of real phishing attempts are put to good use. If there are less savvy employees that can’t identify an attack, it’s possible to delete phishing emails automatically or manually from their inboxes based on earlier observations by others.
Security awareness training shouldn’t be approached from the point of view of fear, threat or worst case scenarios. Instead, employees should be encouraged to understand and discuss security issues in the context of their work.
Efficient training is a possibility to build a sustainable culture of information security within a company.