A new security survey finds that two-thirds of corporate users – 64% — assert that proactive Security Awareness Training helps their businesses to identify and thwart hacks immediately upon deployment. And, an 86% majority of corporations say Security Awareness Training (SAT) decreased overall security risks and educated employees to the ever-present danger posed by cyber security scams.

Those are the findings of the KnowBe4 “2018 Security Awareness Training Deployment and Trends Survey.”  This annual, independent Web-based survey polled 1,100 organizations worldwide during August and September 2018. The independent study conducted by KnowBe4, a Tampa, Florida-based maker of security training and phishing tools, queried corporations on the leading security threats and challenges facing their firms as cyber security attacks increase and intensify.

ITIC partnered with KnowBe4 on this study which also polled businesses on the initiatives they’re taking to more proactively combat the growing diversified and targeted cyber threats. The survey found that 88% of respondents currently deploy (SAT) tools. The businesses report that the training plays a pivotal role in identifying and thwarting attacks; minimizing risk and positively changing the employee culture.

Among the other top survey findings:

• Social Engineering was the top cause of attacks, cited by 77% of respondents, followed by Malware (44%); User Error (27%) and a combination of the above (19%) and Password attacks (17%). (See Exhibit 1).
• Some 84% of respondents said their businesses could quantify the decrease in successful Social Engineering attacks (e.g. Phishing scams, malware, Zero Day etc.) after deploying SAT to their end users after just a few simulated exercises. This is based on 700 anecdotal responses obtained from the Essay comments and first person interviews.
• On average, respondents reported that Social Engineering cyber hacks like Phishing scams and Malware declined significantly from a success rate of 40% to 50% to zero to five percent after firms participated in several KnowBe4 SAT sessions.
• Almost three-quarters – 71% of survey participants – indicate their businesses proactively conduct simulated Phishing attacks on a monthly, quarterly or weekly basis.
• An overwhelming 96% of respondents affirmed that deploying SAT changed their firm’s computer security culture for the better, making everyone from C-level executives to knowledge workers more cognizant of cyber threats.

Introduction

In the 21^st century Digital Age corporations can no longer practice security with 20/20 hindsight.

Complacency and ignorance regarding the security of the corporation’s data assets will almost certainly lead to disaster. Not a day goes by without a major new cyber hack reported.

Threats are everywhere. And no organization is immune.

Hackers are sophisticated, bold and hone in on specific targets. The hacks themselves are more prolific, pervasive and pernicious.

The current computing landscape includes virtualization, private, public and hybrid cloud computing, Machine Learning and the Internet of Things (IoT). These technologies are designed to facilitate faster, more efficient communication and better economies of scale by interconnecting machines, devices, applications and people.

The downside: increasing inter-connectivity among devices, applications and people produces a “target rich environment.”  Simply put, there are many more vulnerabilities and potential entry points into the corporate network. IT and security administrators have many more things to manage and they can’t possibly have eyes on everything. Oftentimes, the company’s end users pose the biggest security threat by unknowingly clicking on bad links. But even so-called “trusted” sources like supposedly secure third party service providers, business partners or even internal company executives can unwittingly be the weak links that enable surreptitious entry into the corporate networks.

The ubiquitous nature and myriad types of threats, further heightens security risks and significantly raises the danger that every organization – irrespective of size or vertical market – will be a target. The accelerated pace of new Cyber security heists via Social Engineering, (e.g. Phishing scams, malware, Password attacks, Zero Day, etc.), makes the IT Security administrator’s job extremely daunting.

Fortunately, there is help in the form of Security Awareness Training which immediately assists organizations in educating employees from the C-suite to the Mail room and transforming the corporate culture from one that is lax, to one that is alert and vigilant.

Data & Analysis

Computer and network security has all too often been practiced with 20/20 hindsight. That is, organizations have been lax in implementing and enforcing strong Computer Security Policies.

The KnowBe4 2018 Security Awareness Training Deployment and Trends Survey results indicate a majority of companies recognize the increasing danger posed by myriad pervasive and pernicious cyber threats. Businesses are also acutely aware that Security and IT managers and administrators cannot possibly have “eyes on everything,” as the size, scope and complexity of their respective infrastructures increases along with the number of interconnected people, devices, applications and systems.  Hence, companies are now proactively assuming responsibility for safeguarding their data.

SAT is a cost effective and expeditious mechanism for heightening user awareness — from the C-Suite to the average worker – of the multiple security threats facing organizations.

Among the other survey highlights:

• Among businesses victimized by Social Engineering, some 70% of respondents cited Email as the root cause. This is mainly due to end users clicking without thinking and falling prey to a wide range of scams such as Phishing, malware and Zero Day hacks. Another 15% of respondents said they were “Unsure” which is extremely concerning.
• An 88% majority of respondents currently employ Security Awareness Training Programs and six percent plan to install one within six months.
• An 86% majority of Security Awareness Training Programs conduct simulated Phishing attacks and that same percentage – 86% – firms randomize their simulated Phishing attacks.
• Some 71% of respondents that deploy KnowBe4’s Security Awareness Training said their firms had not been hacked in the last 12 months vs. 29% that said their companies were successfully penetrated (even for a short while before being detected and removed).
• Survey respondents apply Security Awareness Training programs in a comprehensive manner to ensure the best possible outcomes. Asked to “select all” the mechanisms they use in their SAT programs: 74% said they use Email; 71% employ videos, 43% of businesses said they use Human Trainers; 36% send out Newsletters and 27% engage in seminars/Webinars with third parties.

Overall,  the results of the Web-based survey coupled with over two dozen first person interviews conducted by KnowBe4 and ITIC found that Security Awareness Training yields positive outcomes and delivers near immediate Return on Investment (ROI). Approximately two-thirds of the respondents indicated that the training helped their companies to identify and thwart security hacks within the last six months. The participants said security awareness training helped to alert their firms to a potential vulnerability  and allowed them to block the threat. And it also enabled security and IT administrators and users to recognize rogue code and quickly remove it before it could cause damage. Another 20% of those polled claimed their firms had not experienced any hacks in the last six months.

All in all, in this day and age of heightened security and cyber threats, organizations are well advised to proactively safeguard their organizations by implementing Security Awareness Training for their administrators and end users to defend their data assets. For more information, go to: www.knowbe4.com.