A recent study by cybersecurity firm Tessian suggests two thirds of UK employees do not receive regular email security training in the workplace. Consequently, UK firms face a high risk of experiencing a costly phishing attack or malware/ransomware infection.
For the study, Tessian conducted a survey on 1,000 UK workers at firms with more than 100 employees. Only a third of respondents said their employer provided regular security awareness training covering email security, even though email is the most common vector used by cybercriminals to attack organizations.
Over a quarter of respondents said they were provided with some cybersecurity training, but only when they joined the company. 22% of respondents said they had never been provided with email security training at their place of work.
Bizarrely, the study appeared to suggest individuals who were provided with security awareness training were actually more likely to click links in phishing emails, even though their training should have made them more resilient to phishing attempts.
In industries where email security training is often provided, such as the financial services where 45% of respondents said they received regular email security training, 45% said they had clicked on a phishing email at work. That strongly suggests that little thought has been put into training programs and that they are often seen as a checkbox item for compliance. Companies are not actually checking to see if their training programs are effective at reducing risk. It also shows that while security awareness training is important, companies cannot rely on training alone to improve resilience to phishing attacks.
The problem with many training courses is they are boring and are viewed as unimportant by employees. Not enough time is invested in making the training courses enjoyable, engaging, and relevant to employees. Less than a quarter of respondents said they had taken the training on board and remembered what they were told in their training sessions and were acting on that advice at work. There are rarely follow ups to make sure that the training has been understood and taken on board. That can be achieved with phishing simulation exercises.
“Tick-box training exercises are not enough to stop people falling for the types of advanced spear phishing attacks we see today,” said Tim Sadler, CEO, Tessian. “To be most effective, training needs to be in-situ and provide context. It also needs to be supported by technology that can automatically detect suspicious emails and alert individuals of a potential threat