The Importance of Security Awareness Training

    Charles Brandt
    By: Charles Brandt
    October 22, 2024

    Let’s face it — generally speaking, human beings aren’t naturally very good at adopting secure habits. 34% of home break-ins involve an unlocked front door. 

    But the theft of a laptop and your flatscreen TV isn’t anywhere near the average cost of a data breach in the US — $9.36 million. So you’d think businesses would do more to prevent one. And they actually can! A whopping 82% of data breaches have been linked to human-related security weaknesses. But, almost 40% of survey respondents said that their employers weren’t providing effective and up-to-date security awareness training. And 26% of organizations aren’t providing any security training at all. 

    In this blog, we’ll explore common cyber threats and how to make adding effective training easy. 

    What Top Vulnerabilities Can Be Minimized With Employee Training? 

    hacker-phishing-computer-infection-infographic

    Data breaches aren’t alone — in fact when we talk about cyberattacks in general, even more of them — 90% — originally stemmed from some type of human error or behavior.

    Phishing Attacks

    Without effective training, 61% of Americans are highly susceptible to phishing. All of us can have a careless moment from time to time, but one of the big reasons the numbers are so high is because we tend to think we’re too smart to fall for scams.

    Social Engineering

    Phishing and other types of scams don’t always have the tell-tale signs that used to make their detection much easier, like obvious spelling and grammatical mistakes or amateur graphics. Scammers have also gotten better at using social engineering techniques to get employees to act quickly and without thinking it through. 

    Sadly, far too often, it works. A lot of employees will rush to wire funds to an unknown account or pay a malicious invoice simply because they believe their boss is asking them to.

    Malware and Ransomware

    Ransomware and other forms of malware often start with a simple phishing email, but not always. Unpatched security flaws in operating systems or applications can let in a hacker. Even an unpatched networked printer or one that still has an active default admin password can be a pivot point into the larger network. 

    Having incorruptible regularly performed backups in place to recover from is a good first step to ensuring your business continuity should ransomware occur. But threat actors may threaten to publicly expose sensitive data if you don’t pay. So just because you have backups, it’s still important to secure your environment.

    Weak Passwords and Password Reuse

    Two-thirds of Americans reuse passwords, and 13% use the same one for every online account. And remember that number — over six out of ten employees are vulnerable to phishing. That means that when they accidentally give away one password to a scammer, that scammer will now have access to multiple accounts. 

    To make matters worse, well over half of Americans are also still using passwords that can be easily guessed.

    Let’s put you to the test: Can you guess the most commonly used password? 

    If you guessed 123456, you’re right! Other commonly used passwords include qwerty, 111111, and password. It certainly doesn’t take a cybercriminal mastermind to hack these. They’re the equivalent of “hiding” your house key under the doormat. If MFA is not in place, risks associated with that user account are extremely high.

    Credential Stuffing

    Even if your employees never have a careless moment, sometimes companies are extraordinarily careless when it comes to their own cybersecurity. Credential stuffing is when hackers will attempt to use ill-gotten username and password combinations — often those that have been harvested in another organization’s data breach — to hack into other accounts. 

    How To Protect Your Company From Cyber Attacks

    An illustration of quick and easy multi-factor authentication, where a code is texted to a mobile phone.

    Multi-factor authentication can protect your accounts from 99.9% of attacks. But in 2024, only 45% of organizations are using it. MFA isn’t the only thing that’s considered a cyber hygiene “basic” that’s outlined by organizations like the Center for Internet Security (CIS). There’s quite a bit more that organizations of all sizes should be doing. But there’s a reason that this measure shows up on cyberinsurance and vendor due diligence questionnaires: If you’re not using MFA, you’re not secure, period. 

    Another big red flag to insurers and business partners is a lack of effective security awareness training. 

    Preventing Phishing and Other Attacks in the Workplace From Doing More Damage

    Email security tools and firewalls are important, but they can only do so much. One of the most important things your employees should know is that they also have an important role to play in your organization’s cybersecurity. Because scammers are going to keep sending malicious emails, and some will slip through the cracks and reach your end user’s inbox. But their links can’t do anything if no one clicks on them. 

    A robust security awareness program in 2024 should help your employees understand:  

    • Current cyber threats
    • Their role in protecting your systems and data 
    • Your cybersecurity policies and why it’s important to follow them
    • Common signs of modern phishing and social engineering attempts 
    • What you’d like them to do if they receive a suspicious email or have other security concerns 
    • Secure browsing habits 
    • Your physical workplace security policies and why it’s important to follow them
    • How they should classify and handle particularly sensitive data 
    • How to secure personal devices and other external devices (like USBs) used for work 
    • A high-level overview of your incident response plan 
    • Social media security awareness 
    • Role-specific training — especially for executive leadership and financial department employees
    • The importance of applying updates and patches promptly 
    • How to safely dispose of devices that may contain sensitive data

    Just like any other training program, in order to be effective, it needs to be engaging in order to bring results. Simply handing out pamphlets once a year isn’t enough. Here’s what an effective security awareness program looks like — from one of our strategic partners

    KnowBe4’s Security Awareness Solutions

    An illustration of a phishing email in a yellow envelope with a hook embedded into it.

    You can’t measure results if you don’t know your starting point, which is why KnowBe4’s security awareness training program starts by assessing your employees’ susceptibility to phishing. Then, it provides a vast library of security awareness resources, with more personalized phishing awareness training and simulated phishing tests based on each user’s current understanding. Over time, KnowBe4 continues to test your employees and report any remaining gaps in security behaviors. 

    Human beings will always have careless moments. It’s just a fact of life. But KnowBe4 has proven that it can dramatically reduce your employees’ susceptibility to a variety of phishing scams.

    Would Your Employees Pass the Test? 

    If you’ve read this far, you probably already know the answer. KnowBe4 releases regular reports on various industries, business sizes, locations, and how prone employees are to phishing. There’s some good news — employees have actually gotten better! 

    Unfortunately, some industries continue to take the bait, and they’re not necessarily the ones you’d suspect. KnowBe4’s full 2023 Phishing by Industry Benchmarking Report is available for download here, but we’ve also created a summary for quick reading. Click the link below! 

    Get a Summary of KnowBe4’s Report  Learn More
    Topics: Security