Employees in security awareness training in computer room

Traditional Security Awareness Training Needs an Upgrade

Security Awareness Training (SAT) has been widely adopted by businesses across the globe as a way of combating the onslaught of phishing attempts carried out every day. As human workers are often considered the weakest link within a company, it’s important for firms to provide employees with the knowledge around these threats so that they’re fully equipped to spot a suspicious email when it enters their inbox. Adoption of SAT has been ramping up as the volume of phishing attempts gets more intense; in the past year, 83 percent of businesses experienced at least one phishing attack.

However, the traditional form of SAT rarely achieves what it’s set out to do. Instead, valuable time is taken out of employees’ days to complete training that positions them as the problem, thereby reinforcing a negative stigma and undermining the entire process. It’s time for businesses to explore other options that make workers feel like they are part of the solution.

The limitations of SAT

SAT is often deployed to meet business objectives and align with compliance mandates and regulations. This means that the training held may not actually address the specific security problems that the business is currently facing. Training should not just be a simple box-ticking exercise, it needs to be uniquely designed for each individual business and their needs.

Additionally, training is still often deployed on an ad-hoc basis, which defeats the purpose of the exercise. SAT needs to ingrained in the company’s structure, in a way that is not disruptive to everyday workings. The cybersecurity landscape changes daily, and training programs need to keep up with the constant developments. This includes building it into an employee’s routine from the onboarding process onwards. But as we’ve established, phishing attacks are still succeeding, so the current form of SAT is not working.

Being the solution, not the problem

On a very basic level, training should make individuals feel like they are contributing to the overarching solution, they should not be made to feel like they are the problem that needs fixing. The problem, as we all know, is that phishing emails are still getting through to mailboxes despite existing measures. This is what organizations should emphasize. If companies position employees as the issue, then not only will the training fail to be effective, but they could also risk disrupting employee productivity. Artificial tests and training exercises will ultimately trigger a buildup of stress and pressure, leaving workers distracted and only focused on impressing their employers – not on improving security.

Rather than becoming empowered, employees will be left anxious and fearful of judgement from their employer should they perform badly. It’s true that immediately after training, workers are more likely to report more suspicious emails, but the number will quickly begin to shrink. The longer the gaps are between sessions, the more time there is for individuals to forget. Additionally, by way of impressing their boss and demonstrating their dedication to the training, employees are more likely to flag any email they deem to be suspicious, resulting in a lot of false positives that must be analyzed by IT or security operations. Having to go through and check each query takes IT and security teams away from their other duties, affecting their overall productivity.

Combining crowdsourcing and email security

Businesses should look to combine training with email security solutions that use a crowdsourced approach. This method is far more effective as it harnesses the collective intelligence from every individual in the company and applies it to the wider security strategy. Employees can complete a security scan on their inbox at the push of a button. By giving individuals the power to actively contribute to the business’ security, employers are not only empowering their workers, but also strengthening their security stance. The data collected from inbox scans is applied to the rest of the company and used for automatic remediation of threats. Unlike artificial tests, a crowdsourced approach is applied in real time and is an ongoing process that doesn’t take time out of an employee’s busy schedule. Further, with employees able to carry out their own checks on emails, it will help reduce the number of false positives sent through to the security teams and free them up to focus on larger issues and strategic initiatives.

Traditional #security awareness training rarely achieves it's goals. Employees' valuable time is taken to complete training that positions them as the problem, thereby reinforcing a negative stigma and undermining the entire process. #respectdataClick to Tweet

Employee training is undeniably important for the overall security of an organization, but only when applied correctly. Ad-hoc, artificial exercises achieve nothing apart from ongoing anxiety and short-term fixes. Any knowledge gained during training is quickly forgotten and employees remain apprehensive about when they will next be tested. Applying a crowdsourced approach which facilitates a collaborative framework will prove far more effective in the long run. Phishing attacks will keep on coming, so businesses need to deploy SAT that feeds into the wider security strategy and makes each individual feel like they are contributing to the overall solution.


Chief Strategy Officer & EVP Advanced Solutions at Cyren