A New Breed of Cyber Security Awareness Solutions

Why is cyber security awareness important? What role can it play in helping the people within your organisation improve their behaviours online and reduce cyber security risks? Read on to find out more.

Cyber security continues to evolve at pace and many solutions are being developed which protect IT estates and simultaneously limit the risk of human error. Despite this, and the increased use of AI and machine learning, the likelihood of mitigating 100% of the threat posed by us humans seems unlikely. Sadly, data still shows that employees remain the weakest link in a business’ security armour. Luckily security awareness training is also evolving and improving at great speed, making it easier for businesses to develop robust security cultures and employees to practise developing security behaviours in safe environments.

What used to be purely theory based is now often a dynamic, multi-faceted set of solutions aimed at educating, applying and measuring employee security awareness to help build a true security culture. New solutions on the market build awareness, simulate phishing attacks, pinpoint weak areas, links or times and days when a mistake is most likely to happen then measure the positive impact of interventions and adapt to make sure that weak areas are identified, targeted and monitored.

Here are some of the positive outcomes you can expect from deploying security awareness training solutions.

• Mixing theory, practical applications, tests and micro-reminders provides several different learning opportunities and styles to match the diverse way different people learn and retain information. It takes the stress away from employees by noting where they need help and then creating the required, automated interventions.
• Employees can be confident that they can apply their learnings or understand that they will be given extra support in areas where they need it rather than the traditional approach of promoting fear around making mistakes. Far better to realise that the training they have received hasn’t quite resonated based on a simulated phishing attack than a real one. By experiencing simulated attacks, employees get to experience how an event feels when they aren’t expecting it and are busy with their day job.
• Businesses can understand the times, days or departments most likely to be negatively impacted by a bad actor. You may anticipate busy times are the riskiest but perhaps the days following a highly productive period could be cause for most concern as employees finally relax (perhaps a little too much). Make no mistake that hackers will continually be trying different approaches to understand when businesses are most vulnerable.
• Dynamic and easy-to-consume dashboards and reports can be used to create business cases to promote security solutions to senior budget holders who may wish to see proof that threats actually exist.
• Improve security behaviours because employees understand that attacks will be simulated and their responses measured, leading to a continued awareness of the threats rather than increased awareness around once-yearly training which then peters out over the following months. This builds a security culture which is ingrained in everyday operations.
• Providing actionable data and insight means that threats can be mitigated with automated settings such as employee reminders on, for example, certain days, times or during specific operations or tasks. These automated settings can also be deployed following employee behaviours that the solution has noted are linked to threat risk.
• Security teams can be confident that employees (even those working from home) are being informed, supported, and nudged to be wary of threats so that they can focus on other areas of cyber security

At Wanstor, we’ve found huge success with behaviour change and an improved attitude towards security since we implemented security awareness training for our own team.

Here are some successes over the year 2023:

• 30% of the team have improved their passphrases as a direct result of recommendations from the training
• Only 8% of the team opened or engaged with messages sent as part of the simulated phishing campaign, which is 10% less than the industry average of 18%
• Less than 1% submitted any sensitive information to the simulated phishing campaign