Did you know that security awareness training (SAT) and simulated phishing campaigns can significantly reduce cybersecurity risk? The evidence shows that social engineering, which often involves email, text messages, the web, and phone calls, is the root cause of the majority of cyberattacks. Don’t take our word for it – we have the data and government recommendations to back up our claims. Let’s explore this topic in more detail and see how SAT and simulated phishing can make a difference in your organization’s cybersecurity posture.

Cybersecurity companies tell us that Phishing represents the largest successful attack vector, by far.

• Barracuda Networks reported that spear phishing accounted for 66% of all successful compromises.
• Seventy-nine percent of all successful credential thefts came through phishing.
• Avast recently stated that 90% of all cyberattacks involve social engineering.

Reports may differ over the exact percentage, but they all agree that social engineering is the number one threat. So it’s important to pursue an aggressive cybersecurity strategy to protect your network. This includes security policies, technical defense solutions and user organization. Failure to create a layered security strategy increases the likelihood that your organization will become one of the statistics cited above.

Security Training is Essential to Avoid Cyber Attacks

While spam filtering is an effective security strategy, it’s not perfect. The complex system of rules, beyesian analysis and cloud-based monitoring knock out a lot of the junk. Even AI is starting to make it’s way into network security solutions. But as threats are constantly evolving and spear-phishing can bypass “enforcement at scale” strategies, organizations need to embrace Security Awareness Training programs.

It is important to note that social engineering is the number one threat only after it has already gotten past every existing policy and technical defense. Some estimates state that as many as one in every seven malicious emails make it past content filters.

Until the–unlikely–event where we get proven technical defenses that work to prevent all social engineering, we will need continuous education to help users to spot and report social engineering attacks. Note this U.S. Government FedRAMP recommendation: “Users are the last line of defense and should be tested.”

The numbers tell the story

KnowBe4 analyzed over 10 years of records from over 60,000 customer organizations worldwide, comprising 32,604,108 separate individual users, who took a total of 493,871,295 Phishing Security Tests (PSTs) and participated in awareness training at least once a year. They claim it is the largest analysis, in terms of both customers and test numbers, of any study of this kind. They found these 5 main points:

1. Groups that did frequent PSTs performed better in detecting simulated phishing campaigns than groups that did not.
2. The more frequently that groups did PSTs, the better the users performed on simulated phishing tests. The more PSTs, the better.
3. Groups that did weekly PSTs were 2.74 times more effective in reducing risk than groups that only did less than quarterly PSTs.
4. The longer a group trained, the better they did on simulated phishing tests.
5. Groups that did both training and simulated phishing tests did the best.

2024 Phishing by Industry Benchmarking Report

We continue to see the proven success of security awareness training and simulated phishing in 2024. KnowBe4’s most recent Phishing by Industry Benchmarking Study, involving over 54.1M simulated phishing tests, 55,700 separate organizations, with over 11.9M users revealed the following three key facts:

1. Around a third of users (34.3%) are susceptible to simulated phishing tests when first joining KnowBe4’s platform.
2. Ninety (90) days later, the “Phish-prone Percentage ^TM” is down to 18.9%.
3. A year later or more, the Phish-prone Percentage is down to 4.6%.

Creating Your Security Awareness Training Policy

Conducting cybersecurity training only once a year to fulfill compliance requirements is ineffective. We suggest a longer training session when new employees join the company (approximately 15-30 minutes) and a similar session annually thereafter. Additionally, SAT training should be conducted at least monthly, but with shorter durations (three to five minutes). Simulated phishing campaigns should be conducted at least once a month. Employees who fail a simulated phishing test should receive additional training.

Note: A recent The U.S. Cybersecurity and Infrastructure Security Agency (CISA) Advisory recommends “continuous training”.

Get Help Creating a Security Awareness Training Program

Inacom provides KnowBe4 as our Security Awareness Training provider of choice. KnowBe4 has long been acknowledged as the industry leader in this space. Their system can be configured to simulate attacks over time and personalize training for individuals that need extra help indentifying phishing attacks. And their reporting systems provide a baseline assessment of the organization’s security performance, as well as proof of improvement. With many organizations seeking insurance coverage for cyber-related threats, we’ve found this program to provide underwriters with the confidence to issue favorable ratings for our clients.

For more information on deploying KnowBe4 within your organization and a free trial, give us a call at 410.543.8200 today.