Companies today are hugely reliant on information systems. Since those systems are targets for a growing number of attacks, companies face a major challenge in reducing the risks to these indispensable assets. Security-relevant incidents are associated with significant risk. They can, for example, disrupt normal business activities and involve the theft of personal data, which can lead to rigorous sanctions being imposed. Cyber attacks also have considerable financial impact. According to estimates by Bitkom e.V., financial losses caused by cybercrime in Germany in 2019 ran to EUR 102.9 billion. It also noted that cybercrime has been steadily worsening in recent years. Moreover, any related numbers are likely massive underestimates, since many companies never know they have been a victim of an attack or, out of concern for negative reporting, make deliberate efforts to keep attacks out of the public eye.
As such, companies invest significant sums in technologies to protect their information systems and data. And yet, even when technology-based methods are used to secure information systems, they should never be the only means of protection. As technical barriers, such as firewalls, grow ever stricter and it becomes more expensive to penetrate a system with a technical approach, attackers are changing tack to target a vulnerability that is far easier to access: employees. After all, human beings have always been the weakest link in the security chain: most attacks can be traced back to human error. That is also the opinion of most IT managers. In a global management survey (EY Global Information Security Survey 2018-2019), 34% of companies stated that careless and uninformed employees were the biggest threat facing the company’s information security (IS).
Consequently, companies invest a great deal to prevent their employees serving as an open door to cyber criminals. Guidelines are designed to help every employee take ownership of an approach to thwart attacks. But employees do not always stick to guidelines. Security awareness is one of the supporting factors that increases the likelihood of guideline-compliant behavior. Security awareness, or more specifically information security awareness, focuses on two key aspects: what employees know and the extent to which employees can grasp aspects of information security, including the relevant guidelines and policies.
We differentiate between three levels of security awareness:
1. The first level is perception. Security awareness is based on the ability of employees to perceive an incident that is relevant to information security as a potential risk to themselves or to the business.
2. The second level is understanding. This means the ability of employees to comprehend the mechanisms behind potential attacks and cases of fraud.
3. The third level is a forward-looking perspective. Achieving comprehensive security awareness means being personally aware that anyone can be affected by an incident, as well as knowing what countermeasures can be taken.
Unsurprisingly, companies most often attempt to raise employees’ security awareness through trainings, and have recognized the need for greater security awareness as being a top priority. Building an organization with high security awareness requires that appropriate security awareness trainings and phishing simulations be carried out, since 15% of all security-relevant incidents can be traced back to phishing emails (Verizon 2020 Data Breach Investigations Report). The market for web-based security awareness training is vast and offerings vary widely. A few predefined criteria can help you make the right choice.
Our market study looked at a range of offerings (e.g., from KnowBe4, SoSafe, lawpilots, and many more) and used our comprehensive evaluation criteria to compare them. To provide the best possible comparison, we produced a detailed requirement catalog comprising 44 factors. We tested the level of fulfillment of those factors with the providers, and then with users. Our research produced three noteworthy insights:
1. Offerings for basic information security training are essentially identical. All providers explore topics such as data security and current attack methods in IT security in detail, and in a way that inexperienced users can understand.
2. However, approaches to the topic of phishing are very different. While some providers only look at the issue in theoretical training sessions, at the other end of the spectrum are providers that simulate individual, false (spear) phishing attacks on every single employee. In between are all kinds of levels of detail, where automated phishing messages are provided based on open source intelligence (using messages obtained from freely available, open sources) or emails are created individually at corporate level.
3. There are also major differences in price. Companies with large numbers of training participants can find a decent basic solution for less than EUR 10 per person, per year. Not so smaller companies, for whom the costs are much higher, or any business that wants manually created phishing emails for each employee.
More details are available in our comprehensive market studies. Talk to us today!
At CyberCompare, we regularly offer our customers independent recommendations for suitable providers of security awareness training. Ours is a 6-step approach based on past experience:
Alongside boosting awareness, it is often worthwhile reinforcing other aspects of IT security. CyberCompare helps prioritize these with its cybersecurity diagnosis, based on which we identify your most urgent needs and derive recommended actions.
Email us directly (email us) or give us a call (+49 711 811-91494) and we’ll be happy to provide additional information about our diagnostic process tailored to your individual requirements. Alternatively, use our diagnostic tool to test your cyber risk profile online.