In the modern cyber-threat landscape, security awareness is one the most critical elements of an organization’s information security defenses. Research shows that the majority of successful cyber-attacks on businesses occur as a result of poor security behaviors rather than highly-sophisticated or technical attack methods, chiefly involving employees falling victim to phishing emails or failing to practice secure password/device management.
This has resulted in a new focus on enterprise cybersecurity training, with organizations increasingly looking to use training to raise awareness of security threats among employees in the hope that it will lead to better and more secure actions within the workplace.
However, getting cybersecurity training right can be a challenge, and failure to implement effective training that resonates with staff can leave organizations vulnerable and out-of-pocket.
Shlomi Gian is CEO of CybeReady, provider of a training platform designed to use automation to change employee security behaviors for the better. Infosecurity Magazine spoke with Gian to find out more about CybeReady’s unique offering and to reflect on the wider cybersecurity training landscape.
Can you tell me about the CybeReady training platform?
CybeReady provides an autonomous security training platform that guarantees a change in employee behavior. Followed by four years of successful, self-funded operations in Europe, we entered the North American market back in June. Unlike competitive offerings which are manually operated and are hunch-based decisions, we use data science to create an autonomous, fully-managed personal training program for every employee. The platform deploys Just-in-Time (JIT) learning functionality that trains employees in their inbox on signals they failed to notice. Our human learning automation allows the entire workforce to train year-round, continuously advancing and adapting employees’ skills to match real-world phishing attacks.
Why do organizations need to provide employees with effective security awareness training?
Organizations worldwide are realizing the need to invest in employee training and deploy different security awareness training solutions with the hope of mitigating the risk of data breaches. The problem is that many organizations settle for dated phishing simulation solutions that train employees randomly and require manual effort to operate. The outcome is disappointing – employee behavior doesn’t change and information security teams remain powerless and frustrated in the face of successful phishing attacks.
Effective training should not become an IT and financial burden – it should be done autonomously, via data science driven methodology that offers each employee a customized, continuous training every single month and significantly changes employee behavior, hence mitigates organizational risk of cyber-attacks
When budgeting for the security department, employee cost usually represents the lion's share, and as such, empowering the team to be more effective and efficient should be the top priority. One of the areas where IT teams end up spending time without great continued success is employee security awareness training. This never ending task could be done better by sophisticated learning algorithms, and is one area that is certainly worth exploring by organizations of all sizes moving forward.
What are a few of the most common online scams that employees fall for?
The biggest threat to organizations comes from phishing emails, which studies show account for more than 90% of all data breaches. Therefore, employee security awareness training is definitely key to winning that battle. Unfortunately, companies are investing more than ever today in awareness training programs, however, with legacy solutions expecting the customer to manage the program, the results are mediocre and employee behavior towards phishing attacks doesn’t change.
When it comes to phishing emails, the most common attacks people fall for are often the simplest ones. A two-sentence email from a ‘credible source’ prompting an employee to update their password is typical.
How competitive is the security awareness training market?
Over the past three years, as a result of ever-increasing phishing attacks, demand for security awareness training has increased exponentially. Companies are buying more training material and employees are spending more time reading and watching videos. For example, based on a recent Osterman Research study, the 2019 dollar investment is up by 10-26% and the amount of time spent reading/watching is up by 25%. A majority of the companies who made such an investment cannot measure, and do not feel a real change in employee behavior, since there is a lot of operational and manual work involved in managing the program.
The common desire is for organizations of all sizes to have a solution that eliminates the manual labor and trains employees at a higher frequency and quality than they are able to accomplish today.
What do you feel is the most effective lesson taught in security awareness training?
Learning by doing is the most effective principle in adult learning. As adults, we change behavior when we make a mistake and that’s the best way to grab our attention. When done right, using short, memorable teaching sessions, results are guaranteed.