Two thirds of organizations in the UK do not provide their employees with regular security awareness training for email, according to new research from Tessian.
The security company surveyed 1000 UK workers at organizations with 100+ employees and discovered that not only does email security training need to be delivered on a more regular basis, but also that the training needs to be more effective to better resonate with employees.
More than a quarter of respondents said that they were given email security training when they first joined their organization, but have not received any since. Furthermore, 22% stated that they had never received email security training at their company at all.
Of the respondents that were given email security training, less than a quarter said they remember and act upon it.
Perhaps most interestingly, Tessian’s research discovered that employees in industries that do provide email security training were actually most likely to click on phishing emails. An example cited by Tessian is the financial services industry: despite 45% of employees in the financial services industry receiving regular training, one in three admitted to clicking on a phishing email at work. Again, this highlights that a lack of email security training is not the only issue, but also that training that is being given is not effective enough.
Tim Sadler, CEO at Tessian, argued that there needs to be a shift in the way employees are trained about threats on email. “Tick-box training exercises are not enough to stop people falling for the types of advanced spear phishing attacks we see today,” he said. “To be most effective, training needs to be in-situ and provide context. It also needs to be supported by technology that can automatically detect suspicious emails and alert individuals of a potential threat. To solely rely on training means businesses are putting complete trust in their people to do the right thing 100% of the time, and this is an unrealistic ask.”
Dr Helen Jones, cyber psychologist at University of Central Lancashire, added: “We’ve seen, in our own research, that even when people are explicitly told to be wary of malicious email messages, they remain vulnerable to making risky cyber-decisions. The problem is that phishing attacks are constantly shifting. So while email security training may provide an immediate short-term improvement in people’s ability to spot a malicious email, individuals are less able to adapt this knowledge in line with ever-changing and developing threats.”