1,200 US Workers Just Proved Cyber Training Alone Won’t Prevent Your Next Breach
Share with Your Network
A new survey of 1,200 US workers lays bare the hard fact that cyber training alone will not provide the protection your enterprise needs to prevent the next breach.
If this notion worries you (and if you want to learn what you can do to fix it), I suggest you read on.
Amid the pandemic, a surge in cyber training
As cyberattacks spiked during the COVID-19 pandemic, businesses stepped up efforts to train both remote and in-office workers to spot phishing attempts and other potential threats. You’d think employees, once armed with skills to detect and help deflect attacks, would form a kind of virtual Maginot Line against bad actors.
But according to the results of a survey recently published by TalentLMS, a training solutions provider, that’s wishful thinking.
TalentLMS queried 1,200 employees about their cyber hygiene habits and familiarity with cybersecurity best practices. They also put respondents through a seven-question test to see how accurately they spotted potential fraudulent emails, dangerous documents, compromised drives, and more.
The results are sobering. Six out of 10 respondents failed the test, even though 69% of them recently had received cyber training from their employers.
What’s telling—and frankly worrying—is 74% of respondents who answered all seven test questions incorrectly also said they feel safe from cyberthreats. And 60% of all who failed the test (who couldn’t get four or more questions right) said they feel safe. Bad habits are partially to blame. For instance, 33% of surveyed employees store their passwords in their browsers, which any Security professional knows is an unnecessary risk.
TalentLMS mounted this research, not as an indictment of cyber training; on the contrary, the company’s goal is to reveal the shortcomings of ineffective training and to emphasize that more effective training isn’t difficult to access and implement.
1,200 reasons to do more
Assuming this survey sampling of 1,200 is generally representative of remote and on-site workers everywhere, then even trained, confident employees pose a significant risk to infrastructures. As we noted in a previous blog, people are fallible, even when you do your best to make them infallible. Which makes increasingly sophisticated social engineering attacks much harder to defend against.
Assuming we accept you can never achieve a state of employee hygiene that could be considered failsafe (though it’s worth fortifying your critical forward line as much as you can), the next question is what’s next? What can you strengthen sufficiently to reduce your risk of a costly breach?
We’d start with your vulnerability management strategy. An effective modern vulnerability management strategy reduces your attack surface by patching the vulnerabilities that pose the highest risk to your unique environment. And when you fix the vulnerabilities that matter most, you’ll provide an important stopgap against that leaky employee perimeter.
But don’t think just any vulnerability management solution will be good enough to stop an exploit before it can do damage. Our research has found organizations that rely on CVSS scores or scanner fix lists spend 80% of their time patching low-risk vulnerabilities. This leaves organizations squandering IT and AppDev resources to patch vulnerabilities that earn headlines but actually don’t warrant your time and energy, simply because they just don’t pose a risk to you.
Fortunately, better and more effective approaches are available today. They use state-of-the-art capabilities like threat data analysis and data science techniques like machine learning and predictive algorithms. The best of them can predict the weaponization of new vulnerabilities with 94% accuracy. So much for wasting eight out of every 10 hours fixing vulns that don’t need fixing.
I can think of 1,200 reasons to make your vulnerability management strategy as effective and time-efficient as you can. Still, wondering if you need to take action? Ask your colleagues in IT and AppDev how they’d rather be spending their time.