The Frightening Math of Security Awareness Training
Quick Answer
Security awareness training has a ceiling. KnowBe4 data shows continuous training across an entire year drops the phish-prone rate to about 2 percent at best. The average employee receives roughly five phishing emails per week, so a 10-person team with that 2 percent click rate gets roughly one successful phish per week. One successful phish is all it takes to deliver malware or steal credentials. Other research shows 1 in 4 employees know the security guidelines but ignore them, which makes the real ceiling higher than 2 percent in most environments. Training is worth running as the first line of defense, but cannot be the last. The last line is technology that catches the email before the user has a chance to click: anti-phishing email security with link rewriting and real-time scan-on-click.
It’s everywhere you turn. Advertisements for security awareness training. The last line of defense. The human firewall.
There’s nothing wrong with training your employees to recognize security exploits. We recommend it. But it should be one part of a holistic defense-in-depth approach to security. Why is that? Because the math of having employee awareness training be your only line of defense is frightening. How frightening?
Let’s assume your employees receive the best possible awareness training. Not only that, but they receive the training continuously for an entire year. Under these ideal conditions, the phish prone percentage will get as low as 2%. That means links in 2% of the malicious emails will still get clicked on by your super-aware employees. Furthermore, recent research indicates that the average employee receives almost five phishing emails per week. Ready for some math?
With thoroughly trained employees receiving an average number of phishing emails, a company with just 10 employees will have its network successfully penetrated once per week. Just for reference, how many network penetrations does it take to deliver malware and compromise an entire organization? One!
The numbers are actually worse than that. Other research has shown that “1 in 4 Workers Are Aware Of Security Guidelines – but Ignore Them.” That means to get phished once per week you only really need about eight highly-trained employees.
You want to train your employees? Go ahead. But make it the first line of defense, not the last. For the last line of defense, get something that protects your company from the 2% of links that get clicked. Get Phishing Protection from DuoCircle.
Phishing Protection from DuoCircle is cloud-based email security solutions with real-time link click protection. DuoCircle doesn’t prevent human error, it protects your company when it inevitably happens.
General Manager
General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.
Secure your email infrastructure
Protect, authenticate, and deliver. Contact our team to find the right solution.