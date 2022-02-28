Security awareness training (SAT) is at the top of many security companies' lists for hardening defenses. Human error is a leading cause of data breaches, so it makes sense to teach employees how to avoid key mistakes. Danny Bradbury reports

Training is important, but is it enough on its own? Experts suggest that SAT is only one component in a more rounded approach to security that includes technology solutions.

SAT programs often focus on phishing protection. This form of cybercrime continues to be one of the top vectors of compromise. It has been a leading attack technique for the last two years, according to Verizon's 2021 Data Breach Incident Report, but the pandemic sent it into overdrive. It was a factor in 25% of breaches during 2020, but grew to 36% last year, the report said.

Phishing emails don't just dupe unwitting users into giving up their credentials. They're also a common delivery mechanism for email-borne toxins. The DBIR listed several popular malware types that arrive via email. These include programs that communicate with a command and control server and remote access trojans that access webcams, microphones, and keyboards. In-memory malware and ransomware are also featured on the list.

SAT Isn't Enough

An effective training campaign is important for stopping email-borne attacks, but cybersecurity awareness is harder than it looks. Last year, a global phishing test found one in five people clicking on links in phishing emails. Seven in 10 of them followed up by downloading a malicious file from the phishing website they visited. In what was surely an attempt to underscore the problem, the test was held during Cybersecurity Awareness Month.

In 2022, with cyber-attacks commonplace, why isn't our security awareness better? Anyone can wag a finger at staff in an airless room, but effective, sustainable SAT is rarely easy. Companies are resource-constrained and dealing with a pandemic that has sent many employees to work at home. The SANS Institute's 2021 Security Awareness Report found that time and budget showed up as typical impediments. The finance department also opposed security awareness training initiatives more often than it supported them.

Even when done properly, training on its own isn't a realistic form of defense, warn experts. For one thing, it puts an unreasonable burden on employees.

"SAT requires staff to act as human 'security sensors,'" points out an HP white paper on the topic. "It puts a lot of pressure on people to accurately and reliably identify attacks, which is an unrealistic expectation."

A Multi-Layered Approach

Instead, experts call for multiple layers of defense that complement SAT, ensuring that it isn't the only thing standing in an attacker's way.

"Organizations cannot rely solely on strong education," says Benoit Heynderickx, principal analyst at the Information Security Forum. "They should use the concept of defense-in-depth, adding multiple controls to protect themselves from potential security breaches." That way, when an errant user does finally forget and click on a link in a phishing email, it stands less chance of creating havoc.