Despite Training, Users Struggle to Identify Malicious Traffic
The last five years has seen a big increase in the amount of security training offered to employees, but is it enough?
Is Security Training Enough?
The last five years has seen a big increase in the amount of security training offered to employees. They are schooled heavily on how to recognize phishing emails, and how to spot dubious links or attachments.
This training has certainly helped, and its use should be encouraged in organizations. But it is far from infallible.
Even the best security awareness training vendors admit that their methods only minimize the chances of phishing emails penetrating organizational defenses. They cannot eliminate the fact that a small number of users will continue to be gullible, inattentive, or tricked by a new angle on phishing.
As well as having lowered the chances of unfortunate clicks by users, such training has raised the profile of phishing to the point where many more users now report it. The number of emails from users to IT about potentially malicious traffic has escalated over the past year.
The Numbers Behind Security Awareness
That’s the good news. The bad news is that they get it wrong two thirds of the time, according to an in-depth analysis. The study delved into 200,000 emails reported by employees from organizations across the globe during the first half of 2021. It found that:
- On average, active users submitted 2.14 emails each during the period. That shows training has raised their level of vigilance.
- However, 67% of emails employees report as phishing are neither malicious nor highly suspect.
- 59% of users sent their alerts concerning suspicious links.
- 54% reported an email because of an incorrect or unexpected sender.
- 37% reported an email because of suspected spam.
- 34% suspected the use of social engineering in an email.
- Only 7% reported up due to suspicions about attachments.
This last bullet point bears discussion. It appears that users are now accustomed to watching for strange links, suspicious emails, or email addresses that seem fake. That’s a big step forward. However, too few seem to be on the alert for suspicious attachments – yet that avenue of attack is very much on the rise.
It is quite common, these days, for phishing emails to pose as a PO, RFP, or other business document and request the user open the attachment to forward a business objective. This ploy is quite successful. Similarly, updates on shipments, government forms, and other documents are frequently sent as a way to lure users into an unfortunate click. It is troubling that so few users seem tuned in to spotting them.
User reporting of suspicious traffic should always be encouraged. It may help IT to catch a new malware infection before it can do much damage. User failures to spot malicious emails and attachments, though, should not lead to broad chastisement of the user base. Rather, they should be used as part of the next round of security awareness training.
But user awareness is only one line of defense. It is a vital way to prevent the human element becoming the weakest link. But it is impossible to shore up the enterprise effectively only by teaching security to employees.
How Syxsense Can Help
Such vital training campaigns must be supported by automated security that picks up attacks, warns uses about them, and eliminates the manual drudgery from the world of IT.
Syxsense automates the process of implementing patches and scanning for vulnerabilities. With these two areas taken care of, the enterprise is made far more secure.