Why Cybersecurity Awareness Programs Fall Short?

By Shlomi Gian, CEO at CybeReady

Phishing is still the most commonly used attack on organizations IDG’s 2018 US State of Cybercrime.  As of 2019, there is no proven solution to stop malicious emails from bypassing enterprise email gateway and more importantly there is no awareness program that prevents a busy professional from clicking on these malicious emails.

As an important member of your company’s security team, you and your management understand the importance of an effective employee awareness program and invest the appropriate budget and resources. Unfortunately, you probably don’t feel completely comfortable with the results – the existing training efforts are not ‘moving the needle’ and you’re aware that other companies who have followed the same approach failed to mitigate phishing attacks, which resulted in severe damage to the organization.

Why do most cybersecurity awareness programs fall short and is there any way to solve this?

1. Training experts are hard to find – The typical IT professional who is technical-oriented did not sign up for a training role and has not been “qualified to train” – a practice that entails (a) creation of engaging content, (b) monitoring individual student progress and analyzing his/her progress over time and (c) delivering personal training opportunities at a frequency that would yield continuous improvement for each one of the students year round.

The unfortunate reality is that the majority cybersecurity awareness programs end up being managed by a junior IT professional – most likely the latest to join the IT team – that does not like the job. We often hear program managers saying, “I hate phishing,” which is logical since they are not set for success.

2. No access to playbook – Most of the cybersecurity awareness program managers do not have access to a proven playbook and best practices that they can follow so they end up guessing and experimenting. Instead of helping them make decisions existing solutions overwhelm them with a long feature list they have no time, desire or expertise to try and use. A few of the challenges they are facing include:
   1. Defining groups to test – Is the engineering department, finance team or German office homogenous groups to test? Should all the employees in these groups get identical training?
   2. Selecting the difficulty of what attacks to use – this is a super sensitive topic that could make the program manager look bad. Selecting an easy simulation would result in a low click rate and as such no one will learn anything. Selecting a difficult simulation could be unfair to a certain group of employees and upset the managing executive.
   3. Setting training frequency – Should training be done monthly, quarterly or annually? Should high-risk employees be trained more frequently? If so, how can this be accomplished?
   4. Determining how to handle high-risk groups (new employees, serial clickers, etc.) that have a tremendous impact on the program results and with the lack of guidance fail to change
3. Not relying on data – An effective training program must take into consideration employee characteristics as well as their individual, ever-changing performance towards phishing While existing solutions have a long list of features and reporting capabilities, they completely ignore this the fact that humans are not alike, and we all have a different way of learning. This is probably the most critical issue that companies fail to address and the one that contributes the most to the poor outcome of the increasing number of successful phishing attacks.

A successful awareness program must be designed around the fact that each employee is unique and should be trained accordingly. Data such as role, department and native language should be factored in, but most importantly the performance of past simulations should be analyzed and determine the level of training difficult as well as the frequency of training he should be receiving. Sounds complex? Well, once the company has more than a dozen employees, it gets complicated and the only way to do it well is using data-driven solutions.

Disclaimer: The writer is the CEO of CybeReady who developed an Autonomous Training Platform. CybeReady was developed by a couple of frustrated cybersecurity trainers that after developing a proven training methodology while serving in the National Israeli Security Agency (NISA) realized that executing it properly requires a never-ending data analysis and teaching efforts that can only be performed using machine learning technologies.

About the Author

Shlomi Gian, CEO, CybeReady: Shlomi Gian has more than 20 years’ experience in the technology industry, bringing a unique, powerful blend of product and business leadership expertise to CybeReady. As CEO, Shlomi is responsible for ramping up the company’s presence in the U.S and guiding overall growth for CybeReady worldwide. Over the past two decades, he has built disruptive technologies, surged enterprise sales, developed high-value strategic partnerships and lead companies through major acquisitions. Shlomi served at the helm of numerous companies in the U.S. and abroad, including Cotendo, Akamai and PacketZoom – which was acquired by Roblox in 2018. He holds a B.S. degree in Computer Science from Tel Aviv Academic College and an MBA degree from the University of San Francisco. You can learn more about CybeReady at https://cybeready.com/.