TL;DR: Aumint.io, my startup, offers hope. The results of a recurring cyber training program show that practical training reduces human cyber risk and improves behaviours.
2024 Q1 – Landscape/ Macro trend
Employee behaviour matters.
Having employees with strong cybersecurity skills can make a significant difference in protecting an organization’s digital assets and sensitive information.
Black hat GenAI-powered tools have made social engineering attacks and ransomware services sophisticated and cheaper, leading to a rise in social engineering attacks, not just phishing emails but also BEC attacks, ransomware, and credential harvesters.
What are we talking about? (Short Intro)
The most significant cybersecurity threat to companies is the neglect of human factors.
Social engineers use their knowledge of human behaviour to manipulate people into social engineering scams (Not just phishing), resulting in billions of dollars lost (or profit for them) annually.
How accurately and quickly do employees report threats?
Ensuring your organization’s safety depends on how efficiently and precisely employees report potential threats. It is crucial to address this concern to prevent any possible risks that can harm your business.
You can allocate resources effectively by understanding where your human risks lie.
If we want to improve people’s cyber behaviours, it’s essential to measure them. The best outcome of a social engineering simulation is a threat report, which lightens the threats and speeds up SOC response. Threat reporting is the most effective behaviour to monitor. Monitoring and improving cyber behaviours can create a safer digital environment.
People report real threats in the same way that they do in training. Aumint utilizes AI to classify real threats that are reported in real-time. Users receive immediate feedback and rewards through gamification when they report a suspicious activity, reinforcing the desired behaviour.
Security Training Performance by Country
Based on behavioural cybersecurity statistics reports, Europe fails an average of 3.15% in cyber attacks, while North America fails an average of 3.74%.
However, these numbers may not accurately represent the actual situation because the research studies on which the statistics are based are primarily focused on social engineering attacks in the English language. The failure rates may be much higher in countries where local languages are spoken, sometimes even double.
Security Training Performance by Industry
Although intensive training and regulations can yield results, more is needed.
The failure rate of financial services is as low as 2.95%, while governmental institutions are failing at a rate of 4.56%, and Pharmaceuticals are just next to it at 4.46%.
As we all know, hackers tend to target the easy targets first.
QR CODE ATTACKS
In the last year, the number of attacks through QR codes has more than doubled. While many people know the dangers of clicking on suspicious links or files, only a few know that QR codes can also be used to deliver malware or steal login credentials. Surprisingly, 5.5% of employees have fallen for this type of attack by scanning a QR code. Attackers have found QR phishing attractive as it can bypass email filters more effectively than malicious links. However, this trend is changing as email gateways improve at detecting and preventing malicious QR codes.
Resiliance
Security awareness computer-based training services provide a stable set of core capabilities. However, despite those services, risky employee behaviour continues to persist.
Aumint is developing capabilities that apply behavioural science principles, data analytics, and automation to address this challenge.
These capabilities help cybersecurity leaders to reduce risk through measurable culture change.
Aumint’s award-winning innovative solutions are being built with a focus on employee behaviour management to reduce risk. These security behaviour and culture programs (SBCP) are based on behavioural science principles and utilize data analytics and automation to achieve measurable culture change and reduce risk exposure.
Conclusion
Despite the typically grim statistics and trends surrounding the threat landscape and human cyber risk, we bring good news.
Participation in a gamified, adaptive learning model-based training program reduces risk and improves cyber skills for employees in any industry, background, or location.
It cannot be overstated how important it is to connect and reveal dwell time and threat detection from the training to the real-world context.
A threat report reduces risk more than any other action. The faster it is submitted and responded to, the less damage the social engineering attack will cause.
According to the 2023 IBM/Ponemon Cost of a Data Breach study, there is a difference of over one million dollars between breaches identified and contained before or after 200 days of initiation. The study also found that poorly trained employees were the most significant cost amplifiers, while well-trained employees were the most significant cost-mitigating factors. Speed and skill in cybersecurity behaviour can save companies millions.
By understanding our people, we can better protect ourselves from malicious actors.