Effective security awareness training

The emphasis here is should probably be on effective. That’s because, according to Arctic Wolf, 88% of companies worldwide already have some form of IT security training in place, and another 10% are in the process of introducing such a program within the next 12 months.

But not all security awareness training programs are equal. Moreover, end-users typically loathe the training regardless of whether you follow best practices.

Additionally interesting is the fact that only half of the 88% who have security awareness training in place decided to purchase and implement IT security training. The other 44% decided to develop their own security awareness program.

There is nothing wrong with a company taking this initiative, says Arctic Wolf — as long as it takes the time to develop a high-quality program that reinforces key security concepts at regular intervals. But according to the survey, of the companies with a security awareness program, only 42% use weekly topics and lessons, more than half have a monthly rhythm, and 7% require their employees to complete these lessons only once a year.

Furthermore, only 77% simulate phishing attacks. For the remaining 23%, the programs are based exclusively on lessons or explanations to explain possible phishing emails to their users. This is better than not educating users about how to identify phishing and report phishing attempts, comments training provider Arctic Wolf on the result, but not as effective as the practical approach with simulated phishing emails.

More transparency about security incidents

Another interesting result of the study: When it comes to security incidents, companies have become significantly more transparent. Last year, only 26% of those affected worldwide decided to disclose all or at least some of the information about their incident, but in the current study period two thirds (66%) made this information public. A third (30%) informed only the parties concerned.