In the UK and the rest of the European Union, looming regulations have made data privacy and protections front-page news. But has this heightened consciousness translated into a greater focus on cybersecurity education? And how effective are the resultant security awareness efforts?
As part of our 2018 State of the Phish™ Report, we analyzed more than 10,000 quarterly survey responses from infosec professionals around the globe, who shared their insights and experiences related to anti-phishing training. Comparing responses from individuals at US and UK organizations reveals significant differences in their approaches to end-user risk management — differences that have a profound impact on employees’ phishing susceptibility.
What Tools Are Being Used?
On the most basic level, our data shows that UK organizations generally opt for more passive training methods, while US organizations favor hands-on practice for their users. We asked infosec professionals to indicate their use of five different tools: in-person security awareness training, computer-based online training, simulated phishing attacks, awareness campaigns, and monthly notifications and/or newsletters.
Source: Quarterly surveys of infosec professionals for the 2018 State of the Phish Report
In-Person Security Awareness Training
As you can see from the chart above, UK organizations are far more likely than their US counterparts to rely on classroom-style training to keep employees informed about cybersecurity. While in-person training can be useful, organizations should avoid long, infrequent sessions, as these are not ideal for knowledge acquisition and retention.
Computer-Based Online Security Awareness Training
Far more US organizations report using computer-based training. This training approach offers a number of advantages, such as allowing end users to complete training at their own pace and at their convenience, with minimal disruption to the workday.
Allowing users to progress at the best speed for them has been proven to produce better results than once-size-fits-all training. This is just one of the research-based Learning Science Principles that underlie the effectiveness of Wombat’s security awareness training.
Simulated Phishing Attacks
Another stark difference in how US and UK organizations approach end-user risk is the use of simulated phishing attacks. Seventy-nine percent of US respondents report using phishing tests, compared to only 45% for the UK. While not all organizations are open to using phishing simulations, this approach is highly effective in identifying and mitigating risk. It allows organizations to conduct baseline assessments of their susceptibility to phishing attacks, and to measure the effectiveness of their phishing training efforts over time.
Awareness Campaigns: Videos and Posters
Materials such as videos and posters can help create a culture of security awareness within your organization. Posters, images, and articles can be distributed throughout the workplace, and videos can be used to introduce end users to the importance of cybersecurity best practices. This approach is more popular in the UK (60%) than in the US (44%). Using security awareness materials encourages end users to think and talk about cybersecurity and reinforces best practices learned in more comprehensive training. Raising and maintaining awareness in this way helps to reduce your vulnerability to attack.
Similar to awareness materials, sending out monthly notifications and newsletters can provide occasional reinforcement of cybersecurity best practices and alert end users to known threats. This tactic is a more passive approach, however, and isn't a substitute for hands-on learning. As you'll note, these tools are more popular with UK organizations than those in the US.
How Effective Are These Tools?
When we surveyed infosec professionals for our State of the Phish Report, we also asked them, “Have you been able to quantify a reduction in phishing susceptibility based on these activities?” Our survey shows a significant difference between US and UK organizations, with 61% of US organizations answering “yes,” compared to only 28% for the UK.
As mentioned earlier, UK organizations tend to favor more passive approaches to keeping employees informed about cybersecurity. Given that, it’s not surprising that they are less likely to see quantifiable results from their efforts. By their nature, some security awareness and training tools produce key metrics while others do not. Using simulated phishing attacks, for example, allows you visibility into end-user susceptibility to specific types of phishing emails, as well as the ability to evaluate progress over time. The same cannot be said of posters hung in the breakroom.
In the end, US and UK organizations have much to learn from one other. US organizations should consider greater use of security awareness materials in the workplace to raise visibility and reinforce key messages. UK organizations would do well to adopt the computer-based online security awareness and training and simulated phishing attacks used more widely by their US counterparts to enable lasting behavior change and knowledge retention.