These 7 Questions Proved Employee Cyber Training Isn’t Nearly Good Enough

May 19, 2021
Monica White
VP of Product Marketing

Share with Your Network

Here’s a hard truth about protecting your network, infrastructure and applications: most organizations are doing a poor job of training their employees to spot phishing attempts and other potential threats. And that leaves those organizations unnecessarily vulnerable.

Training solutions provider TalentLMS tested 1,200 employees to see how skilled they were at identifying potential risks as they arrive in their inboxes or pop up on the internet. The results are, frankly, a bit discouraging. 

A majority of the workers surveyed (59%) received cybertraining from their employers, largely due to the uptick in cyberattacks aimed at taking advantage of a new global remote workforce. Of those trained employees, 61% failed a basic seven-question test. If the test questions were real-world exploit attempts, those unwitting employees would have handed hackers the keys to the front doorand even held it open for them.

The 7 deadly questions: Take the test

To help put this into context, here are the seven test questions respondents answered. (Four or more wrong answers constituted a failing grade.) I’ve provided an answer key at the end of this blog so you can test yourself if you like. But don’t cheat! Cheating is cutting corners, and cutting corners is a terrible idea in Security. 

1. Which of the following passwords would outsmart a hacking attack?

  • @bgfjjjdb4M#67£ 
  • Grimefingerskydominoes
  • D00r83llabu12
  • *lugbttdb4m#29£

2. Which of the following file types have the potential to be harmful? (select all that apply)

  • .xls  
  • .exe  
  • .pdf  
  • .doc  
  • .jpg  

3. How does ransomware work?

  • It self-replicates and searches for unsecured systems
  • It steals sensitive information and relays it to external users
  • It denies access to your data unless a fee is paid  
  • It gives unauthorized access to a malicious user on your system

4. USB drives are harmless if you insert them to see the content, but not run anything. 

  • True 
  • False  

5. If your laptop is password protected then its files are safe, even if the device is stolen. 

  • True
  • False  

6. Which of the following actions should you take to keep an important document safe? (select all that apply)

  • Digitize the document and encrypt it on a protected computer  
  • Lock the document away in a safe
  • Destroy the print document in a shredder 
  • Upload it to the cloud

7. You receive a suspicious looking email from your CEO that contains a link. What would you do?

  • I would click on the link
  • I would check if the sender address matches the CEO’s, and if it does I would click on the link
  • I would send a message to the CEO through a different communication channel asking if they sent me an email with a link  
  • I would delete the email without clicking the link

(Again, you’ll find the answer key at the end of this blog.)

Security professionals might look at this test and dismiss it as laughably easy. But for employees whose jobs don’t involve securityand for whom following security protocols is an unwelcome if necessary burdenthese questions and situations represent a murky, uncertain world they know little about. That even goes for workers who have received training. In fact, of respondents who answered all seven questions incorrectly, 80% had received cybersecurity training. That’s the harsh reality when it comes to protecting your perimeter. It’s porousand to some extent unavoidably so.

The trouble with hygiene

Cyber hygiene is a mercurial thing, and mastering it requires diligence. (Like real-life human hygiene, it helps to tend to it every day.) You can insist employees strengthen their passwords, and chances are many probably should (the world’s most common password is “123456,” and it was exposed 23.6 million times in 2020). A stronger password is a good start. But other common tactics can lead to stolen credentials, which then could then allow bad actors to access parts of your infrastructure the hacked employee may not even know exists. 

So by all means, train your employees. But if you’re taking the time and effort to do so, rely on a training program whose effectiveness is proven—rather than just tips from some Googled listicle. Hacks are growing more sophisticated every day, which may actually make mediocre training an even bigger danger than no training at all. (Want proof? The TalentLMS survey found 74% of respondents who failed all seven test questions said they feel safe from cybersecurity threats!)

Take control over what’s within your control

It’s foolhardy to think your employees, even if meticulously trained, will prevent every breach. Because it’s one thing to mull over phishing scenarios when you’re being asked to mull over phishing scenarios. It’s another thing entirely to be a busy, distracted employee who receives an email from the CEO they’re working hard to impress and responds to it, unaware that they’re playing into the hands of hackers. 

So in addition to effective training, you’ll want the added insurance policy of a strong vulnerability management program. The thinking here is simple: If you can’t count 100% on workers to sniff out sophisticated exploit attempts, you’ll need backup. And since employees are hard to control entirely, it makes sense to focus on what’s already within your control: the network and infrastructure assets you’re responsible for.

A robust, modern vulnerability management program will provide that backup. Leveraging extensive threat data, vulnerability intel, data science, and predictive algorithms, the best vulnerability management solutions weigh the relative risk that every known vulnerability within your infrastructure poses to your business. The most advanced solutions will even predict the likelihood of a specific vulnerability being weaponized. That way, you can focus on and fix the vulnerabilities that matter most, and stop wasting time chasing vulnerabilities that aren’t a risk.

The truth is, training your employees to maintain better cyber hygiene is necessary, but it’s not nearly good enough. You simply can’t control what employees do and learn, not entirely at least. But you can control how effectively you manage the vulnerabilities that, in the end, those bad actors are really after. 

Do that, and you’ll be relying on a program that’s much better than good enough.

Learn how a modern vulnerability management strategy helps you fix what matters—and keeps you in control. 


Did you take the test? Here are the correct answers:

  1. Q1. @bgfjjjdb4M#67£ 
  2. Q2. All file types can be harmful
  3. Q3. It denies access to your data unless a fee is paid
  4. Q4. False
  5. Q5. False
  6. Q6. Digitize the document and encrypt it on a protected computer and Destroy the print document in a shredder 
  7. Q7. I would send a message to the CEO through a different communication channel asking if they sent me an email with a link

Read the Latest Content

Threat Intelligence

18+ Threat Intel Feeds Power Modern Vulnerability Management

You need lots of threat intelligence feeds to cover all of the threat and vulnerability data categories in the world. Learn about the threat intel feeds...
Data Science

Ask Us About Our Data Science

In vulnerability management, data deluge is a recurring problem. Learn what data science is and how it can help your company.
Risk-Based Vulnerability Management

What is Modern Vulnerability Management?

Modern vulnerability management is an orderly, systematic, and data-driven approach to enterprise vulnerability management.

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.