How Effective Are These Tools?
When we surveyed infosec professionals for our State of the Phish Report, we also asked them, “Have you been able to quantify a reduction in phishing susceptibility based on these activities?” Our survey shows a significant difference between US and UK organizations, with 61% of US organizations answering “yes,” compared to only 28% for the UK.
As mentioned earlier, UK organizations tend to favor more passive approaches to keeping employees informed about cybersecurity. Given that, it’s not surprising that they are less likely to see quantifiable results from their efforts. By their nature, some security awareness and training tools produce key metrics while others do not. Using simulated phishing attacks, for example, allows you visibility into end-user susceptibility to specific types of phishing emails, as well as the ability to evaluate progress over time. The same cannot be said of posters hung in the breakroom.
In the end, US and UK organizations have much to learn from one other. US organizations should consider greater use of security awareness materials in the workplace to raise visibility and reinforce key messages. UK organizations would do well to adopt the computer-based online security awareness and training and simulated phishing attacks used more widely by their US counterparts to enable lasting behavior change and knowledge retention.