{"id":9189,"date":"2024-03-01T08:57:21","date_gmt":"2024-03-01T13:57:21","guid":{"rendered":"https:\/\/joindeleteme.com\/?p=9189"},"modified":"2024-09-30T10:03:26","modified_gmt":"2024-09-30T14:03:26","slug":"why-security-awareness-training-fails","status":"publish","type":"b2b-post","link":"https:\/\/joindeleteme.com\/business\/blog\/why-security-awareness-training-fails\/","title":{"rendered":"Why Security Awareness Training Fails"},"content":{"rendered":"\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#what-is-security-awareness-training\">What Is Security Awareness Training?\u00a0<\/a><\/li><li><a href=\"#why-security-awareness-training-fails\">Why Security Awareness Training Fails\u00a0<\/a><\/li><li><a href=\"#how-to-combat-personal-information-based-attacks\">How to Combat Personal Information-Based Attacks\u00a0<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n<p>Among the many reasons why <a href=\"https:\/\/joindeleteme.com\/business\/blog\/security-awareness-training-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">security awareness training<\/a> fails, two in particular stand out to us:\u00a0<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>There\u2019s no link between security awareness training and behavioral change.<\/li>\n\n\n\n<li>Personalized attacks are hard to spot and stop, even when individuals are trained to avoid phishing attacks.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>In this guide, we\u2019ll explain what security awareness training is and why it doesn\u2019t always work as companies expect it to. We\u2019ll also share some tips on how to minimize the risk of data breaches that exploit the human element.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-is-security-awareness-training\">What Is Security Awareness Training?&nbsp;<\/h2>\n\n\n\n<p>Security awareness training refers to information security programs within organizations that are designed to teach employees and other relevant stakeholders how to recognize cyber threats.&nbsp;<\/p>\n\n\n\n<p>Training can consist of any number of modules, with common topics including email security (which may involve phishing simulations and malware-focused training), terminal security (including locking desktops that aren\u2019t in use), and password strengthening.&nbsp;<\/p>\n\n\n\n<p>The purpose of security awareness training programs is to prevent cyber attacks (social engineering, ransomware, etc.) from succeeding.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"why-security-awareness-training-fails\">Why Security Awareness Training Fails&nbsp;<\/h2>\n\n\n\n<p>Teaching employees how to recognize phishing techniques and create strong passwords (among other things) should (theoretically) make the organizations they work for safer.<\/p>\n\n\n\n<p>However, the reality is that most employees aren\u2019t security experts, even trained ones.&nbsp;<\/p>\n\n\n\n<p>Training scenarios take place in safe and controlled environments, and employees are generally passive participants. Meanwhile, actual cyber attacks are active and dynamic.&nbsp;<\/p>\n\n\n\n<p>According to researchers, even after robust security training:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/securitybrief.co.nz\/story\/despite-cybersecurity-training-85-of-employees-still-reuse-passwords-report\" target=\"_blank\" rel=\"noreferrer noopener\">85% of employees<\/a> continue to reuse passwords across business applications.&nbsp;<\/li>\n\n\n\n<li>1 in 5 employees still <a href=\"https:\/\/atlasvpn.com\/blog\/1-in-5-employees-fall-for-phishing-emails-even-after-a-security-training\" target=\"_blank\" rel=\"noreferrer noopener\">fall for phishing scams<\/a>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/www.linkedin.com\/in\/rebeccamckeowncpsychol\/\" target=\"_blank\" rel=\"noreferrer noopener\">Bec McKeown<\/a>, founder and principal psychologist at Mind Science, <a href=\"https:\/\/www.securityweek.com\/security-awareness-training-isnt-working-how-can-we-improve-it\/\" target=\"_blank\" rel=\"noreferrer noopener\">says<\/a>:&nbsp;<\/p>\n\n\n\n<p><em>\u201cWhat people don\u2019t realize is that psychologically <\/em><strong><em>there is no direct link between awareness and behavior change. <\/em><\/strong><em>Most people believe that if you make people aware, they will do something about it. That is not true.\u201d<\/em><\/p>\n\n\n\n<p>Part of the problem is that employees typically only receive cybersecurity training once or twice a year, meaning that security isn\u2019t at the forefront of their minds at any given moment.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/www.knowbe4.com\/press\/lack-of-regular-cybersecurity-awareness-training-puts-organisations-at-risk\" target=\"_blank\" rel=\"noreferrer noopener\">Many employees<\/a> also say the security awareness training they receive is outdated, too general, and too slow\/not issued in real-time.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"586\" src=\"https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/03\/media-45-1024x586.png\" alt=\"Reddit post about bad security awareness training \" class=\"wp-image-9190\" style=\"width:578px;height:auto\" srcset=\"https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/03\/media-45-1024x586.png 1024w, https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/03\/media-45-300x172.png 300w, https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/03\/media-45-768x440.png 768w, https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/03\/media-45.png 1523w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>On the other hand, cybercriminals are constantly working to develop new techniques.&nbsp;<\/p>\n\n\n\n<p>Besides utilizing new technical approaches, cybercriminals invest a significant amount of time working on ways to get employees to give them access to the company network.&nbsp;<\/p>\n\n\n\n<p>This means cybercriminals are spending more time in the reconnaissance stage, researching employees through sources like <a href=\"https:\/\/joindeleteme.com\/blog\/what-are-data-brokers\/\" target=\"_blank\" rel=\"noreferrer noopener\">data brokers<\/a>. As a result, attacks are more likely to slip through email filters and employees\u2019 own filters for what is expected to be a phishing attack.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"personal-information-attacks-require-more-than-security-awareness-training\">Personal Information Attacks Require More Than Security Awareness Training&nbsp;<\/h3>\n\n\n\n<p>Let\u2019s take a look at how cybercriminals use personal information in spear phishing and account takeover attacks.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"spear-phishing\">Spear phishing&nbsp;<\/h3>\n\n\n\n<p>Most phishing attempts are relatively easy to spot due to unusual senders\u2019 addresses or generic lures. These emails are sent out in the millions and have low chances of success.&nbsp;<\/p>\n\n\n\n<p>That\u2019s not the case for personalized phishing emails engineered to fool a particular employee or group of employees. In these cases, cybercriminals dive deep into their targets, acquiring <a href=\"https:\/\/joindeleteme.com\/blog\/what-is-personally-identifiable-information\/\" target=\"_blank\" rel=\"noreferrer noopener\">personally identifiable information (PII)<\/a> from anywhere they can find it. Emails of this nature can address employees by their first name and even reference superiors in the organization to build credibility.&nbsp;<\/p>\n\n\n\n<p>One of the top sources for PII is <a href=\"https:\/\/joindeleteme.com\/blog\/what-are-data-brokers\/\" target=\"_blank\" rel=\"noreferrer noopener\">data brokers<\/a>. Data brokers collect publicly available information about individuals and then sell this information as comprehensive profiles to anyone willing to pay a small fee.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1021\" height=\"1024\" src=\"https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/03\/media-46-1021x1024.png\" alt=\"B2B data broker profile \" class=\"wp-image-9191\" style=\"width:500px;height:auto\" srcset=\"https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/03\/media-46-1021x1024.png 1021w, https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/03\/media-46-300x300.png 300w, https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/03\/media-46-150x150.png 150w, https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/03\/media-46-768x770.png 768w, https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/03\/media-46.png 1412w\" sizes=\"(max-width: 1021px) 100vw, 1021px\" \/><\/figure>\n\n\n\n<p>One particularly notorious group of cybercriminals, Conti, is known for <a href=\"https:\/\/www.varonis.com\/blog\/contileaks\" target=\"_blank\" rel=\"noreferrer noopener\">using data brokers<\/a> to identify their spear phishing targets and determine whose name they should drop in the email to make it more convincing.<\/p>\n\n\n\n<p>Some cybercriminals are also using data brokers to <a href=\"https:\/\/arstechnica.com\/information-technology\/2022\/08\/phishers-breach-twilio-and-target-cloudflare-using-workers-home-numbers\/\" target=\"_blank\" rel=\"noreferrer noopener\">identify targets\u2019 family members<\/a> and use them as a way into corporate networks.&nbsp;<\/p>\n\n\n\n<p>Personalized attacks can be very convincing, even to those who have received significant amounts of training &#8211; just ask <a href=\"https:\/\/www.bbc.com\/news\/world-us-canada-40788080\" target=\"_blank\" rel=\"noreferrer noopener\">senior Whitehouse cybersecurity advisors<\/a>.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"account-takeover\">Account takeover&nbsp;<\/h3>\n\n\n\n<p>Once someone knows an employee&#8217;s background, it\u2019s easy for them to start guessing passwords.&nbsp;<\/p>\n\n\n\n<p>Most passwords are absurdly easy to guess, anyway. As <a href=\"https:\/\/nordpass.com\/most-common-passwords-list\/\" target=\"_blank\" rel=\"noreferrer noopener\">NordPass\u2019s annual password survey<\/a> shows, the vast majority of people (including <a href=\"https:\/\/nordpass.com\/business-executive-passwords\/\" target=\"_blank\" rel=\"noreferrer noopener\">high-ranking executives<\/a>) continue to use weak passwords like \u201c123456,\u201d \u201cadmin,\u201d and \u201cpassword.\u201d<\/p>\n\n\n\n<p>However, even when people try to create more complex login credentials, many end up <a href=\"https:\/\/www.welivesecurity.com\/2021\/04\/15\/one-six-people-use-pets-name-as-password\/\" target=\"_blank\" rel=\"noreferrer noopener\">leaning on their personally identifiable information (PII<\/a>), whether it\u2019s a birth date or a spouse\u2019s name. But this kind of information is easy to find on a data broker profile.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"768\" src=\"https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/03\/media-47.png\" alt=\"Data broker profile vs password survey \" class=\"wp-image-9192\" style=\"width:555px;height:auto\" srcset=\"https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/03\/media-47.png 1024w, https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/03\/media-47-300x225.png 300w, https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/03\/media-47-768x576.png 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>All a cybercriminal has to do is acquire PII about an employee, load it into a password-cracking program, and then allow the program to try to guess their password over and over again until it gets it right.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-to-combat-personal-information-based-attacks\">How to Combat Personal Information-Based Attacks&nbsp;<\/h2>\n\n\n\n<p>Although security awareness training is important, organizations can\u2019t rely on it alone to reduce their human attack surface, especially when it comes to personalized attacks against employees.&nbsp;<\/p>\n\n\n\n<p>Besides fostering a security culture, organizations should also take steps to reduce their employees\u2019 digital footprints. Potential measures include educating employees about the risks of over-sharing online and enrolling at-risk stakeholders in <a href=\"https:\/\/joindeleteme.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">data broker removal services such as DeleteMe<\/a>.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Find out why security awareness training fails (and what to do about it). <\/p>\n","protected":false},"author":14,"featured_media":9193,"menu_order":0,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"b2b-category":[45],"class_list":["post-9189","b2b-post","type-b2b-post","status-publish","format-standard","has-post-thumbnail","hentry","b2b-category-resources"],"acf":[],"_links":{"self":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/b2b-post\/9189","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/b2b-post"}],"about":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/types\/b2b-post"}],"author":[{"embeddable":true,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/users\/14"}],"version-history":[{"count":0,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/b2b-post\/9189\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/media\/9193"}],"wp:attachment":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/media?parent=9189"}],"wp:term":[{"taxonomy":"b2b-category","embeddable":true,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/b2b-category?post=9189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}