The SANS Institute security center issued its annual security awareness report, which was based on data from 1,000 infosec professionals and found that employees and their lack of security training remain common points of failure for data breaches and network attacks. The report also tracked the maturity level of respondents’ security awareness programs and their effectiveness in reducing human risk.
“This year’s report once again identifies what we have seen over the past three years: that the most mature security awareness programs are those that have the most people dedicated to managing and supporting it,” the cybersecurity training and education organization said.
“These larger teams are more effective at working with the security team to identify, track, and prioritize their top human risks, and at engaging, motivating, and training their workforce to manage those risks.”
The SANS Institute study ranked maturity by five levels, from lowest to highest: nonexistent, compliance-focused, promoting awareness and behavior change, long-term sustainment and culture change, and metrics framework. The report found that while approximately 400 respondents said their programs promote awareness and behavior change — the highest such response for any maturity level — the number represented a 10% decrease from the previous year’s report.
The report also noted that while many companies are pouring money into expensive IT security products and investments, spending money on training and drilling employees on how to spot and block scams might be the best investment for companies.
“People have become the primary attack vector for cyber attackers around the world, so humans rather than technology now represent the greatest risk to organizations,” the SANS Institute said. “Security awareness programs, and the professionals who manage them, are key to managing that human risk.”
The study found that of the top threats companies face, two of the top three rely on social engineering tactics. Phishing attacks topped the list, with business email compromise (BEC) attacks coming in second and ransomware filling out the top three.
While ransomware attacks can be automated through scripted bug exploits, phishing and BEC require the human touch of a con artist who can trick an employee into handing over sensitive account information and routing numbers. The report also noted that the vast majority of ransomware attacks begin with either phishing emails or exploiting weak passwords.
This is why SANS said that companies need to invest more money into training employees to spot attacks and cut them off before a network breach takes place. In order to do this, SANS said that companies need to rethink how they approach security training and why they drill both end users and executives as to what they are being trained on and why it is important.
“Far too often, security awareness is perceived as a compliance effort, or security awareness professionals are perceived to be in an ‘entertainment’ business that focuses on getting employees excited about cybersecurity but has little perceived business benefit to the organization,” the report said. “To effectively engage leadership, focus on and use terms that resonate with them and demonstrate support for their strategic priorities.”
Part of the problem, SANS said, lies with a lack of engagement from IT. The report suggests that investing time in security research and reporting could help executives and IT decision-makers understand the importance of training and employee vigilance.
“Dedicate two to four hours a month to collecting metrics about the impact and value of your awareness program and communicating it to leadership,” said SANS. “This information can include informal metrics, established key performance indicators, or even success stories.”