Originally published on the Mimecast Blog, August 15, 2018, by Bob Adams, Product Marketing Manager – Security

Your organization has been – and will be – attacked. The sophistication of these attacks has changed over time and will continue to evolve. Many organizations have increased their focus on prevention, but where should one start?

As security professionals, we want to prevent cyberattacks, but how do we avoid security fatigue? Attackers are, and always will be, more advanced than our users. Beyond prevention, we need detection and response, but is that enough? And when does it become too much?

It’s vital to implement not just security protocols, but the right procedures to ensure you are effectively leveraging your users as part of your security posture, while also not desensitizing them to processes.

Users need cyber awareness training and it cannot be annually, bi-quarterly, or monthly – it needs to be a continuous activity.

However, it’s a fine line between training and checking a box. In fact, according to new Mimecast global research conducted by Vanson Bourne:

  • 11% of organizations continuously train employees on how to spot cyberattacks.
  • 24% admit to monthly training,
  • 52% perform training only quarterly or once a year.
  • 90% of global organizations have seen the volume of phishing attacks increase or stay the same over the past 12 months.

In addition to prevention, it has now become crucial for organizations to perform regular, and effective, training for their entire user base. While executives and those in finance or positions that handle sensitive data are important, it has become the responsibility of every user to be vigilant against the latest threats. So, how do you do it? How do you protect yourself and your organization?

Taking the Right Approach to Cyber Awareness Training

An organization may implement something like two-factor authentication – yet there are some that create an almost Pavlovian response. Sign into an application, phone dings, click the link to verify. Sign into another application, rinse and repeat.

Creating habits weakens your security. Instead, leverage effective methods of cyber awareness training. Send phishing emails to test your users, and track their results, but make them convincing and engaging. Like the ineffective test question above, testing your users with simplistic or overly obvious phishing test emails will not be effective, nor will forcing them to watch or attend hours-long training.

The most effective methodology to train your users, without damaging your security posture, is through the appropriate formula. You can start with these three tips:

  1. Don’t bore your users with difficult or overtly obvious training; find an appropriate middle ground that challenges them.
  2. Track your users results, on both real phishing emails as well as training, and act based on those results.
  3. Be original.

Recently, a director of IT explained they have been using a security awareness training software for over a year and it had reduced their user failure by over 30%. However, a user who had never fallen for one of the phishing simulations was their first user to fall for a phishing attack.

The results you achieve are only as effective as the cybersecurity tools being leveraged.

Learn more in Mimecast’s State of Security 2018 Report or contact Chi Corporation for more information.