Security awareness with heart and mind - the ABC of security awareness

Phishing, phishing and more phishing: no security report or ransomware report is complete without a mention of the social engineering technique that is so popular with attackers. The target is always the human being. Many technical solutions therefore target the human factor as the number one risk with Zero Trust. However, as always, the truth is in the details. The real weak point is not the human factor, but the technology. Too many phishing e-mails still find their way into mailboxes and too many anonymous calls and malicious links make it through the multi-layered security gateways. For this reason, measures should instead turn the tables and turn the supposed weak point into a company's greatest strength. The best and most sustainable way to do this is with security awareness training.

Human risk management

According to a study by ArmorBlox, 56 percent of targeted phishing attacks bypass conventional security filters. Security email gateways and security tools are becoming increasingly ineffective due to Generative AI. According to IDC, less than three percent of security spending is focused on the human element, even though over 68 percent of security breaches are human-related, according to the Verizon Data Breach Investigations Report 2024 Investigations Report 2024. So the human element is too often overlooked. Companies are tackling the threat landscape with the wrong approaches. Instead of restricting people, they should empower them.

Awareness as the basis for secure behavior

Protection against phishing cannot and will not be achieved by technology alone. Employees must also be made aware of the dangers posed by social engineering. All departments, i.e. IT, HR, marketing, compliance and the legal department, must work together to achieve this. After all, the task at hand is to sustainably increase an organization's cyber security and resilience by empowering everyone involved. Empowerment is the way to achieve this. The aim is to convince the hearts and minds of employees of the necessity of the measure. How social engineering can be recognized and thwarted is then communicated through gamification approaches and information campaigns. In addition, companies offer their employees the opportunity to reinforce the behavior they have learned in regular phishing simulations. Cybersecurity should be established as an integral part of the corporate culture. At the end of the process, a security culture is created.

Successful security awareness training covers the following six points:

1. Content – The content differs both in the presentation and type of medium and in the topics. In addition, there are cultural differences in the transfer and acquisition of knowledge that need to be taken into account. However, the various contents should always be adapted to the different roles and functions within the company.
2. Support and planning – Security awareness trainers need supporting materials to confirm the added value of a SAT program to management and also to show auditors and regulators that it is targeting the right areas.
3. Campaigns – A successful program should not be a one-off, but should be seen as a campaign. It must be designed for specific target groups and be relevant to the respective area of responsibility in order to generate commitment. The goal must be for employees to feel personally connected to the goals and the “why” of the program. The aim is to win the hearts and minds of employees for the common cause.
4. Regular training – The success of all measures lies in the repetition and variety of the training content. What has been learned can then be individually deepened in further succession. Sustainable changes in behavior can only be achieved through the targeted development of skills. In order to break old habits, employees must first of all understand why a behavior is dangerous. They then develop a conscious competence that can later be developed into routine behavior.
5. Metrics and reports – Security awareness trainers must be able to demonstrate the effectiveness of training. They can use reports to differentiate between successful and less successful measures.
6. Surveys and evaluations – This feedback tool also works well to get another overview from the trainees of what can be improved in further content and activities.

Safety culture must be lived and actively shaped

The values, norms and customs practised by an organization are strong motivators for safe behaviour. However, companies also cultivate a safety culture without any specific training. Practices in dealing with technology have developed over the years and become unwritten norms. However, if they are not actively shaped, those responsible for security have no overview and no control over whether the behaviors are more harmful or beneficial to cyber security. This can be changed with the right measures. A sustainable security culture is the best protection for companies.

Security awareness measures are measurable

According to the 2024 Phishing by Industry Benchmarking Report, a third of employees (34 percent) in the organizations surveyed are likely to click on a phishing email. 90 days after the initial measures have been implemented, this figure drops to 18.9 percent and even to 4.6 percent over the course of a year. This is measured using the Phish-ProneTM Percentage (PPP). This indicates the probability of a user clicking on an infected link in a phishing email. The results for the DACH region show that 90 days after the implementation of monthly or more frequent security awareness training, the average PPP value fell to 20.3 percent. After twelve months of training and simulated phishing security tests, the average PPP value even fell to 5.5 percent. The added value of employee training can also be seen in the handling of ransomware. Quick and appropriate responses can contain the effects and limit the financial damage.

Conclusion

Awareness, behavior and culture, i.e. security culture, are three terms that - when properly communicated and established - make the difference between a fatal click and an email that is correctly forwarded to the IT department. For an organization, this means nothing less than avoiding reputational damage, costs in the event of a security and data protection breach as well as stress and uncertainty for employees.

Many thanks to Dr. Martin J. Krämer, Security Awareness Advocate at KnowBe4, for this guest article in the Claranet blog.