1. It can significantly lower your risk of a cyber-attack
Phishing emails are still the primary cause of cyber-attacks with over 90% of breaches starting with an email. The bad guys are relentless and can send malicious emails to thousands of businesses very quickly. These opportunistic attacks are the biggest risks to small businesses and the bad guys are always coming up with new ways to get your staff to click links, download malware or share sensitive information.
By training your staff on phishing and other threats, you are significantly reducing the changes of them ‘opening the door’ to potential attackers. Training using real world examples and outcomes that stick with your staff long after the video has ended. It’s not just phishing either, training on the entire threat landscape equips them with knowledge they need for mobile devices, remote working, removable media, physical security and much, much more.
Security awareness training is proven to reduce your risk of a successful phishing attack by up to 40% – Let that sink in.
2. Change the security culture in your business
Cyber security is not just an IT problem, and your staff are the first line of defence in preventing cyber-attacks. Security awareness training is proven to be the catalyst to changing the way staff think about Cyber Security and driving improvements across the business. A workforce that’s educated in the threats can identify weaknesses in the business that nobody else can, staff are far more likely to detect suspicious events earlier and prevent incidents before they occur.
I’ve seen it time and time again, where given the right resources, staff have been the driving force for improving security. Armed with training on best practices, it will be your staff that start suggesting or enacting new organisational policies, encrypting sensitive emails and removable media etc – It all starts with security awareness training.
You’ll often find good staff will WANT cyber security training – and it helps them in their personal lives too.
3. Understand your risk and cyber security maturity level
If I sent a simulated phishing email to all your staff, how many of them would click the link and compromise the business?
If you listen to industry statistics, the answer is around 40% – that’s a lot of compromise!
Whatever your answer, it’s the same number if a hacker was to send a real phishing email and anything above 0% is bad for business.
Security awareness training and a phishing simulation service will give you a clear picture on what your risk level is, show you who’s the biggest risk and see the risk reduction over time.
4. Lower your cyber insurance premiums
If you have cyber insurance or professional indemnity insurance, they will be asking about the cyber security training you’re providing to your staff. They ask about this because they understand that phishing and staff are the most likely cause of a breach. When this is in place it is likely to reduce your insurance premiums and could mean that the training pays for itself!
As years go by and phishing gets increasingly sophisticated, you may find that some insurance providers won’t cover you at all without security awareness training – this is certainly a shift that we are beginning to see.
5. You may have to
Compliance requirements are getting more stringent by the year. We’ve already established that phishing is your biggest risk, and some insurance companies will not even insure you without awareness training.
You may find that your specific industry regulations also require you to provide awareness training, particularly for professional services such as accountants and solicitors, that hold very sensitive data.
6. Prepare for new and emerging threats
Cyber Security is a constant game of cat and mouse, and attackers are always thinking of new methods to trick your users. Regular, ongoing awareness training ensures that staff keep up to date with the latest threats and techniques. Phishing simulation also uses the latest techniques based on real world attacks; it’s much better if your staff click one of our simulated attacks rather than the real thing.
Nobody likes failing a phishing test, but staff will remember this for a long time and keep the bad guys out.
Security Team Top Tips:
- Accompany your awareness training with a company ‘cyber security training policy’ – this should state why you are doing it, why your staff should take it seriously, what to expect, reasonable timeframes to complete training, and consequences for non-completion or repeated phishing failures.
- Reward staff who take it seriously, perform well, and report phishing emails – this could be a quick pat on the back or form part of an employee’s annual appraisal.
- Multi-Factor Authentication is not a silver bullet, it does HELP keep the bad guys out, but over 20% of phishing attacks we see CAN bypass MFA, and MFA does not help protect you against other threats like malware.
Our approach…
We make cyber awareness training as simple as possible for your staff.
All staff receive phishing training first (because it’s the biggest threat)
Staff will receive an email asking them a few questions to test their cyber security knowledge. Training is sent in priority order based on their own weaknesses.
We send one SHORT module, every 3 weeks. Each module takes around 5-10 minutes to complete.
We send one simulated phishing email to each person every 2 weeks. Each person receives a different email at a different time.
Staff also have a ‘Phish Report’ button in Outlook, OWA and on mobile. When they report emails that were part of a simulated attack, they get congratulated, and their risk score is lowered. Emails that were not a test are forward to Impact and Microsoft to spot trends and help block them in future.
Managers receive a weekly summary email showing outstanding training, phishing clicks and other information. More reports are available on request.