In chess, two rows of pieces are placed on either side of the board. These rows consist of eight pawns as the first line of defense against the enemy. The rest of the pieces behind them can move about effectively, depending on how you direct your instruments. But what if you can’t always dictate how your means move? What if the enemy could influence how your pawns behave? Sounds like an easy win for your opponent, right? That happens with email-based phishing and social engineering scams, such as business email compromise attacks. There’s only one way to solve this problem — security awareness training.

• Employees are ripe for exploitation by bad actors

In this current digital-first business landscape, the biggest threat to an organization comes from within. While malicious insiders are a real threat, unintentional actors — pawns or goofs — cause over 65% of reported insider incidents by interacting with a phishing message. This blog delves into the undeniable need for comprehensive security awareness training and its role in empowering a company’s management and employees to improve their resilience against today’s ever-evolving cyber threat landscape.

The top three phishing simulation emails that successfully drew clicks:

1. Office 365: “Suspicious Login” with 10,879 clicks.
2. FedEx: “Package Delivery” with 6,535 clicks.
3. Google Docs: “Invitation to Edit” with 4,492 clicks.

Top three phishing simulation campaigns that captured credentials and data:

1. FedEx: “Package Delivery” with 2056 captures.
2. Office 365: “Suspicious Login” with 1736 captures.
3. COVID-19: “SharePoint Webinar” with 1440 captures.

• Clueless employees create security incidents

Cybercriminals have become more adept at creating sophisticated, convincing emails and scams that can hardly be distinguished from authentic emails or SMS texts from a trusted source. Over the last five years, companies across the globe have lost over $43 billion due to BEC attacks.

If that statistic isn’t scary enough, Microsoft discovered that for every 1,000 mailboxes, bad actors averaged 104 BEC attacks weekly. That’s about 40 attacks every business day. These numbers are based on mid-market enterprises (MME) with over 1,500 employees. It’s safe to say that the larger the organization, the greater the number of attempted attacks.

That still isn’t the biggest problem, though. The main challenge to an organization’s IT security team revolves around employees not reporting security incidents—a growing trend. Employees aren’t equipped to handle such email-based cyber threats properly, which increases the chances of a data breach. Training fixes that problem.

• Five Scary Employee Behavior Trends

Here are five employee behavioral trends currently rampant across all industries — particularly in the transportation, automotive, and healthcare sectors — that can lead to a cyberattack:

1. Employees report about 2% of all known attacks to their security team.
2. Employees often say graymail (not to be confused with spam) is phishing, wasting a security professional’s time.
3. Employees assume that a peer may have reported suspicious emails as phishing instead of doing their part to minimize risk.
4. Employees don’t realize they might be the only target of an attack and leave it to someone else to raise an alarm.
5. Employees reuse passwords on corporate devices and networks as they would on personal devices that aren’t as thoroughly secured. This creates an entry vector for bad actors.

Most of these issues don’t require new security software implementation or a massive overhaul of corporate security policies. A simple but effective security awareness training program will educate employees on cybersecurity best practices and get them battle-ready to handle even the most innovative infiltration tactics a cybercriminal may utilize.

Security awareness training, while offering an incredible layer of protection against bad actors, comes with its challenges. Carrying out enterprise-wide training on cybersecurity — a facet of technology that evolves in the blink of an eye — places a lot of strain on the professionals tasked to do the job.

Updating content to stay relevant with the latest trends, motivating and engaging employees to complete the training, and improving knowledge retention are the biggest challenges companies face when effectuating security awareness training.

Source: ID Agent