Roger Grimes
2024-12-23 17:13:00
blog.knowbe4.com
KnowBe4 is a big believer in focusing on decreasing human risk as the best way to decrease cybersecurity risk in most environments.
A big part of decreasing human risk is using effective security awareness training (SAT). You do not want to just focus on SAT, but SAT is a big part of decreasing human risk.
To be sure, your human risk management projects need to be broadly focused on more than SAT. We agree. That is why we discuss changing your culture and have products such email security, Compliance Plus and 1:1 Security Coach.
At the same time, SAT is one of your best and biggest tools, especially until the 100% perfectly defending technical tools are here. Remember, social engineering is involved in 70% – 90% of all successful hacking attacks and that is after the hackers made it past all involved technical tools.
We have seen people say that SAT does not work at all. That is not true; we have the data to support that it does indeed work. Organizations that do effective SAT create people who recognize and click less on phishing attempts, both on simulated phishing attempts and in preventing real-world breaches.
We have seen people say you only need to use SAT until we finally get the 100% effective technical security defenses we have been promised for decades. How good are technical defenses against social engineering today?
Seventy to ninety percent of all successful hacking involves social engineering that has gotten past all technical defenses. Even if one day someone figures out how to 100% protect email, which we are not even close to yet, we still have to protect the web, SMS, social media, and any other communication media channel. Today, email phishing is the biggest problem, but it is not the only problem.
There are lots of social engineering scam scenarios where there are no current existing other defenses besides SAT. Education is the primary way you help to mitigate the threat. They include:
In May 2023, Barracuda Networks reported successful compromises. That is huge for a single root cause!
Another good example of training being the primary defense is password reuse. Every computer security person knows that they should never share the same password across unrelated sites and services. It’s too risky. When passwords are shared, if the password gets compromised at one location, it can be more easily used to break into other sites using the same password.
It’s especially risky to a business for an employee to reuse their employee account password on their personal sites. An attacker could learn about someone’s password on, say, Facebook or a cat-lover’s website and then attempt to use it on the user’s corporate account.
Outside training, there is no way to prevent unauthorized password reuse (if your company uses passwords). There is no password tool that will scan your network, scan all your employees’ personal accounts, and look for matches. Nope, your own defense (besides implementing MFA at work) is educating employees not to share passwords between their work and professional accounts.
Technical defenses alone are going to have a very hard time stopping these types of attacks. Instead, you need to make people aware of these types of attacks, and educate them how to spot, mitigate and appropriately report them.
While training should not be the only thing you are doing, it is a crucial part of any human risk management defense. So, until that perfect technical defense comes around, do training, do lots of training.
Our current problem is not that we do too much training; it is that we do not do enough.
Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.
Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!
Support Techcratic
If you find value in Techcratic’s insights and articles, consider supporting us with Bitcoin. Your support helps me, as a solo operator, continue delivering high-quality content while managing all the technical aspects, from server maintenance to blog writing, future updates, and improvements. Support Innovation! Thank you.
Bitcoin Address:
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge
Please verify this address before sending funds.
Bitcoin QR Code
Simply scan the QR code below to support Techcratic.
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.