While IT security is an essential part of a security plan, one of the most vulnerable areas in any organization isn't technical - it's the employees, also known as HumanOS. Many cybercriminals are focused on attacking individuals through malware, phishing, and other scams, putting employees on the front line in the fight against cyber threats.
Let’s start with a definition
Gartner defines security awareness with the following definition:
“The term security awareness is commonly used to refer to a broad range of education, communication, and behavior management activities and learning outcomes.
These outcomes include:
- Complying with regulations that mandate security training;
- Establishing clear behavioral guidelines to support disciplinary processes, which are typically described in acceptable-use and/or security policies;
- Improving employee knowledge of security and risk topics;
- Motivating desired security behaviors in the appropriate context.
In the end, security is everyone’s responsibility. All it takes is one convincing – yet fraudulent – email or phone call to trick an untrained, security unaware employee into opening the door to cyber criminals.
Why is security awareness so key?
Security awareness programs educate employees on security best practices; they change employee behavior to make it safer; they create a safety-conscious culture; and they reduce the number of human-caused security incidents. So your employees take the security of your business to heart.
Phishing threats are literally everywhere. And if your employees can't identify them, your data is at risk. In this context, planning a phishing simulation helps to identify how well employees are able to detect the latest threats on their own.
Because many organizations do not provide adequate cybersecurity awareness training, research shows that over 25% of North American workers fall victim to phishing emails.
What is a phishing simulation? And how does it work?
Simply put, a phishing simulation is a test where you send an email to a group of users to trick them into clicking on a fake link or attachment. If an employee clicks on the link, attachment, or enters their data into a form on a fake website, they are considered at risk since they could have infected your network had the attack been real.
That's why when you decide to run a phishing simulation, target a group of users and only notify a handful of people (not part of the group being assessed) within your organization.
Your first test should be used to benchmark your users' cybersecurity awareness against other organizations. Most organizations that run phishing simulations get the following results:
- Between 20 and 30% of users click on the links
- Between 10 and 20% of users open attachments
- Less than 5% of users share their information in forms
Conclusion
Awareness of cybersecurity within your company is therefore an essential tool in order to transform your employees from weak links into real adversaries against cyberattacks. In addition to awareness and training, it is important to test your employees through infiltration simulations attempts also known as phishing simulations.
If you have the mission to train your employees in cybersecurity, Present can assist you. We partner with Terranova Security, a Gartner magic quadrant leader, to offer a high-quality customisable training program. Contact one of our cybersecurity experts to learn more!