When it comes to Security Awareness and training beyond the phish, we still have a long way to go.
James McQuiggan, Product & Solution Security Officer of Siemens Gamesa,is very adept at doing a level set. And that's exactly how he kicked off the SecureWorld web conference "End-User Cybersecurity Behaviors: The Importance of Training Beyond the Phish" which remains available on demand.
He kicked things off with a quick look at attack vectors your employees-and ultimately you-are up against.
This set the stage for results from Wombat's 2018 “Beyond the Phish” report with Wombat Security Vice President Amy Baker.
She cited research that Phishing and pretexting represents 98% of all incidents and 93% of breaches featuring social engineering. “End user behaviors make these data points true. When technical safeguards fail, your users become the last line.”
Latest research: consequences and strategies
And with that in mind, she says their research shows these types of consequences when your users fail:
And she says research shows you can best combat this with a continuous training methodology to build knowledge over time.
Do you notice how there is much more on the flow above than simply simulated phishing emails? That's because bad actors change strategies, new threats emerge and the landscape is shifting. This makes it crucial to both educate and test your employees.
Can branding help your Security Awareness program?
Victoria Thomas has lead security awareness efforts for several global companies during the last decade. She lead part of the web conference to explain the value of branding your security awareness program like any other product. “You want employees to be paying attention to cybersecurity information you are sharing within the organization. Because they are much more likely to recall the brand they easily recognize.”
She says it will also help create brand advocates and loyalists.
Also part of the on demand web conference is Mitch Parker, Executive Director, Information Security and Compliance at Indiana University Health. He discusses how to implement effective Information Security training in the context of business, beyond “just” phishing.
“We have other key areas we must secure, a security program cannot rest on its laurels. We have to make our training more effective and adaptive.”
He then discussed how a continuous multi-step plan can look and how to measure it, to protect your end users and ultimately, your network.
You can watch the Beyond the Phish web conference on demand and earn CPE credits in the process, plus access Wombat's new 2018 "Beyond the Phish" report, by registering here.