Latest Research Confirms the Ineffectiveness of Security Awareness Training
Quick Answer
Security awareness training plateaus at around 98% effectiveness after a year of continuous program delivery, and 11+ courses over 4-6 months cuts phishing click-through by about 65%. In an organization with thousands of employees, even 2% click-through means dozens of malicious clicks per week, any one of which can compromise the network. Research also shows 1 in 4 workers know security guidelines but ignore them. Training is worth doing, but it cannot be the only defense. The reliable layer is real-time link-click protection that re-scans every URL on click against reputation databases, so a click on a malicious link is still blocked when training fails. Cloud-based phishing protection costs pennies per user per month and deploys in about 10 minutes.
Security Awareness training companies love to point out how important employee training is in keeping organizations safe from ransomware and malware. And to be sure, training employees to spot phishing emails is better than not doing it. But, the ubiquity of security awareness training advertising has led to two large problems.
First, some organizations can get the impression that security awareness training for their employees is a sufficient first line of defense against malicious emails. And on the limited budget most companies have, they may opt for awareness training over more effective (and cost effective) forms of defense. The second problem with awareness training is, it’s just not good enough.
In most cases, when you reduce the risk of some adverse event by 65%, or 75%, or 98%, that’s a pretty good investment. But with a phishing attack, where a single wrong click can bring down an entire organization with thousands of employees, 98% effectiveness means there are potentially dozens of clicks on malicious links per week. The problem isn’t that the awareness training isn’t any good, it’s that human beings are, well, human.
This week, “Running 11 or more training courses over 4-6 months reduces phishing click-through by 65%.” Put another way, if you conduct a training class every other week for half a year, one in three employees will still click on malicious links. From a company defense standpoint, that’s not much better than no training at all.
Perhaps all that’s needed is MORE training. Not really. As previously detailed in the article The Misguided Solution to the Phishing Problem, “after one year of continuous employee training, the best possible result is 98% effectiveness. And that’s when employees care about security. What we also know from research is that ‘1 in 4 workers are aware of security guidelines – but ignore them.’”
Employee awareness training suffers from diminishing returns. All the training in the world won’t get to 100% effective. And unfortunately, when it comes to cyber defense, anything less leaves you really vulnerable.
What’s the answer? You should still do employee training, BUT use it to augment the much more effective cloud-based phishing protection software like that available from DuoCircle.
Phishing Protection from DuoCircle comes with real-time link click protection. So, when those trained employees fail to recognize a phishing email and click on a malicious link, you’re still protected no matter when they click on it.
Is Phishing Protection cost effective? How about pennies per employee per month? You’d have a hard time finding employee training that inexpensive.
It’s time to embrace the truth about awareness training. It’s good to have, but if you have to choose between training employees or protected employees, the answer is obvious: DuoCircle.com.
General Manager
General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.
Secure your email infrastructure
Protect, authenticate, and deliver. Contact our team to find the right solution.