If you find yourself asking “How does my organization evaluate the benefits of security awareness vs. anti-phishing training?” we’re here to help.
Start by understanding that cyberattacks are ubiquitous. The average probability of an organization experiencing a data breach has risen to 27.7 percent, according to the 2020 Cost of a Data Breach Report by the IBM/Ponemon Institute. That means there’s greater than a 1 in 4 chance an organization will experience an attack. And breaches are costly. The average global cost of resolving a data breach is USD 3.86 million. In the United States, that figure escalates to USD 8.64 million. Data shows that the best way to avoid these costs is by preventing the attacks in the first place.
To reduce the risk of a cyberattack, organizations must first confront the fact that employee error is the most common cause of data breaches. As humans, we make mistakes, our memories are limited, and we are susceptible to emotional pressure. Therefore, the best way to safeguard your organization against cyberattacks is to train your employees regularly, so they remember what to do if confronted with a potential attack. Armed with relevant skills and knowledge, you can change your employees from being your most significant point of vulnerability to acting as your best line of defense – your company’s “human firewall.”
Security Awareness Training (SAT) is essential for any company with employees and a connected digital environment or online presence. SAT programs help create a security-minded culture by teaching all aspects of regulatory compliance and cybersecurity procedures that are crucial to protecting organizational systems and data, computers and other devices, as well as employees’ personal devices and data. Leading courses use engaging and memorable methods to present best practices, so learners understand the issues and are motivated to carry them out daily. A comprehensive security awareness training program should cover the following topics, including the whys and hows of:
- Basic security hygiene
- Organizational IT policies
- Securing remote and home offices
- Protecting mobile devices
- Security while in public
- Data privacy, classification, handling and protection
- Spotting and thwarting malware
- Strong passwords
- Social engineering scams
- Online security
In many industries, laws and regulations require security awareness training to ensure that employees follow basic security practices to protect organizational data. HIPAA, PCI DSS, ISO/IEC 27002 and the Gramm Leach Bliley Act (GLBA), for example, all have SAT requirements. In addition, most federal and state government employees are required to take annual security awareness training.
Anti-Phishing Training (APT) is another crucial cybersecurity topic for employees. As phishing attacks have increased exponentially over the last decade, they have become quite sophisticated and difficult to detect. Targeted messages – known as spear phishing and business email compromise (BEC) – often come from legitimate business email accounts that have been hijacked and use deliberate tactics to evade anti-phishing software filters. Because there are so few indicators that the messages are illegitimate, phishing is commonly used by bad actors for information gathering and to gain access to confidential data and personal details.
When comparing security awareness vs. anti-phishing training, several key differences arise. Security awareness training may touch upon the risks of social engineering scams, but the bulk of learning material and practice opportunities in an SAT course will focus on protecting hardware, networks and data. In contrast, a robust anti-phishing training program will be laser-focused on explaining the many types of phishing messages, how to recognize them and the actions to take to fend off their tricks and scams. This targeted attention is critical considering that BEC scams caused the highest financial losses of all cyber scams tracked by the FBI’s Internet Crime Complaint Center in 2019 and prompted an FBI public service announcement in April 2020. Fortunately, research indicates that training employees to recognize and report phishing messages is an effective mitigation strategy, especially when repeated at six-month intervals.
Which training is better – SAT or APT?
Since security threats come in many forms, it’s best to utilize a combination of the two. Both types of courses are proven to change risky employee behaviors, actions and oversights that can compromise security. Security awareness training focuses on educating your staff about common dangers (e.g., password reuse, unsecured networks) while also demonstrating secure behaviors (e.g., multi-factor authentication, regular data backups, handling of sensitive data) – especially when working from a remote office. Anti-phishing training is decisive for teaching users to spot the various types of phishing messages and understand their risks (e.g., malware, fraudulent links, credential harvesting), as well as providing real-life practice scenarios that enable employees to identify harmful messages among the volumes of email they filter daily.
There’s a reason that almost every list of cybersecurity best practices includes regular employee training – because it works! People without IT expertise often don’t recognize threats when they occur or understand the daily actions that leave a company open to an attack.
Furthermore, training administered once doesn’t stick. Our brains have a plasticity that allows us to learn by creating new neural pathways. As our brains age and become less plastic, adult learners need additional review to maintain new knowledge. Alternating security awareness vs. anti-phishing training courses so that employees receive training every few months is a practical way to address this fact of life while improving your company’s security posture and reinforcing its security culture.
For more information about the benefits of these training approaches, read more about GLS’s Security Awareness Training and Anti-Phishing Training. And check out our monthly specials to get your company started!