Contact Us      General Enquiries: +44 (0) 1273 834 000   Support / Service Desk: +44 (0) 113 360 9696

PAV IT

  • About Us
    • Careers
    • Our Green Credentials
    • Privacy Policy
  • IT Certainty
    • Legal and Accountancy
    • Manufacturing Sector
    • Retail Sector
    • Case Studies
    • Customer Testimonials
  • Services
    • Backup and Disaster Recovery
    • IT Support Monitoring
    • Project Delivery
    • Cloud Services
    • Application Packaging
    • Pavilion Service Credits
  • News & Events
    • BLOG
    • Events
    • Newsletters
    • News
  • Technology Solutions
    • Communication and Collaboration
    • Modern Workspaces
    • Data and Governance
CONTACT SALESsupport
  • Home
  • Our latest Blogs
  • Blog
  • Cybersecurity Awareness Training Results In Greater Employee Engagement
June 24, 2022

Cybersecurity Awareness Training Results In Greater Employee Engagement

Tuesday, 26 October 2021 / Published in Blog, Mimecast

Cybersecurity Awareness Training Results In Greater Employee Engagement

blog_header_mimecast_cybersecurity_training

Organizations That Prioritize Cybersecurity Awareness Training See High Rates Of Employee-Reported Emails, Decreasing The Likelihood Of Email Threats Entering The Organization And Simultaneously Creating A Burden On IT Security Staff.

Key Points:

  • Employee reports of suspicious emails can be a distraction to IT and security staff, while infrequent cyber awareness training causes low employee reporting engagement.
  • Yet, there are few trained dedicated email analysts, and few organizations analyze all reported emails.
  • Automated analysis and triage of suspicious emails greatly reduces IT and security staff workload while providing more timely and effective response email phishing and other cyberattacks.

An Osterman Research paper, Assessing Organizational Readiness to Deal with Increased Employee Cyber Awareness, examines the effectiveness of cybersecurity awareness training and how email is evaluated as potentially suspicious, both by employees and IT security staff. Three hundred cybersecurity professionals in the United States and the United Kingdom at organizations with at least 1500 employees were surveyed.

The central finding of the research: email security is more essential than ever, given email’s long-standing position as the dominant threat vector. Yet, few organizations have high confidence in both the available tools as well as employees’ awareness and ability to effectively assess and report malicious email messages. Organizations that employ automated email incident response system combined with employee cybersecurity awareness training have proven better at identifying and preventing malicious email attacks, with the added benefit of reducing the administrative burden on IT and security staffs.

Let’s take a look at some of the key findings:

  1. Email remains the dominant threat vector.

In Mimecast’s State of Email Security 2021, 58 percent of surveyed companies saw an increase in phishing attacks. And 60 percent were hit by an attack spread from an infected employee to other employees. In addition, according to the FBI, business email compromise attacks have decreased in volume, but have become more expensive with higher overall costs.

  1. Employee Engagement — When It’s Not a Good Thing

Increasing employee cyber awareness to report suspicious email is an important first layer of protection against email threats. However, the downside is that more than half of IT and security staff surveyed in the Osterman white paper felt employee reports of suspect emails are more a diversion than a help. That’s because it takes time for human analysts to sort through employee-reported emails, 90 percent of which typically prove benign.

Indeed, among those who characterized employee reports of suspicious emails as a diversion, the vast majority (87%) relied on human analysts or human intervention to investigate these reports, as opposed to automation tools to analyze, triage, and prioritize potential threats. Only 1% of respondents who outsourced the review of employee-reported emails felt this task was a burden or a diversion from key responsibilities.

  1. Employee Engagement — When It’s a Good Thing

Most security organizations seek to increase user awareness of malicious emails in two ways:

  • Warning banners on unsolicited emails from outside the organization and other potentially suspicious content.
  • More than half of surveyed organizations (56%) provide cybersecurity awareness training monthly. The remaining do so on a quarterly or less basis, while only 15 percent train once a year or less.

Particularly noteworthy are the 16 percent of respondents who underwent daily training. This constituted anything from an email on some aspect of cybersecurity, a warning poster in an elevator, or a pull-up display reminding employees not to leave USB sticks unattended on their desks.

The cybersecurity awareness training has proven effective: Eighty percent of respondents reported a direct correlation between training and an increase in user-reported emails. For organizations offering cybersecurity awareness training on a daily, weekly, or monthly basis, the rate of increase was greatest, with three-quarters (74%) indicating a rate of increase between three and ten or more times.

  1. Making Reporting Easy for Employees

Most organizations make it easy for employees to report messages, either with a button in the email client to click (34%) or a link in an email message to click (23%) to report suspicion. The latter is considered preferable to forwarding a message to an abuse mailbox, which requires at least the extra step of locating and entering or selecting an email address. In addition, forwarding a message to an abuse mailbox usually requires a human analyst to review and remediate the suspicious message. Again, however, reliance on human analysts to evaluate reports of possible malicious emails is a burden to IT security staff.

  1. Suspicious Email Reporting Accuracy Varies

At most organizations, almost half of employee-reported suspected email messages prove benign, which reinforces the problem of overtaxing IT security staff in determining email threats. What’s more, few organizations employ dedicated email analysts with sufficient professional training and tooling in threat identification and mitigation for email-borne threats, making it all the more difficult to provide adequate identification of potential malicious attacks.

Only 11 percent of surveyed organizations use software to automatically triage email messages reported as suspicious and remove these messages from mailboxes. Almost one-third of organizations rely completely on human analysts; in the wake of well-documented cybersecurity skills shortages, their time is almost certainly better spent elsewhere.

Three-fifths of organizations use some combination of automation plus human review. Without human intervention to make a definitive decision, remediating a suspicious email can result in false positives.  Few security teams can afford to waste time on a mounting number of false positives, and even with technology solutions to address the problem of persistent false positives, it takes time to roll these out and maintain accuracy.

For benign email messages, 70 percent of organizations are able to analyze each email and close the incident in less than 10 minutes. For malicious email messages, it takes longer, up to 60 minutes per message.

  1. Most Organizations Do Not Analyze All Reported Email

Only about a quarter of surveyed organizations analyze all of emails reported as suspicious. Nor did it seem to make a difference whether the organization relied primarily on human analysts or some degree of automation. However, organizations solely relying on human analysis may be more prone to allow malicious email to slip through; automation has a greater ability to use similarity analysis to rule out variations.

Particularly interesting is that organizations that reviewed all reported emails receive almost three times as many reports. Again, this increases IT and security staff workloads. At the same time, these actions have some value: if employees don’t receive feedback on all their reporting and consequently feel their actions are ignored or underutilized, reporting levels tend to drop, which can create a greater likelihood of malicious emails entering IT environments.

The Bottom Line

Effective cybersecurity awareness employee training helps defend against malicious emails; however, too much reliance on employee reporting and human analysis strains resource time and attention. Automated email analysis lowers dwell time and reduces the burden on IT and security staff, accelerating incident response and improving overall email security.

vendor_logo_link_mimecast

What you can read next

blog_header_mimecast_blog_07_20
Malicious Deepfake Technology: A Growing Cyber Threat
Commvault Cloud Storage explained video
The benefits of Commvault Cloud Storage explained in just 90 seconds!
blog_header_ microsoft
6 Risks and Opportunities of the Intelligent, Connected Cloud

Recent Posts

  • Sophos Event Blog Header

    Better cyber protection doesn’t have to cost you more

    Most campaigns that vendors / resellers run is ...
  • Cyber Insurance Blog

    Cyber insurance: there’s bad news and there’s good news

    The threat environment is more challenging than...
  • Evolving Cyberattacks header

    How Common Types of Cyberattacks are Evolving

    Cyberattacks are ever changing. Read about cybe...
  • Watchguard MFA Header

    Protecting User Identity and Securing Business Trust with Multi-Factor Authentication

    THE EVOLUTION OF AUTHENTICATION – HOW WE GOT HE...
  • CRN Nomination 2022 Header

    CRN Best Company to Work For Nomination 2022

    Why is your company such a great place to work?...

Categories

  • Applications
  • Blog
  • Cisco
  • Commvault
  • Events
  • Legal
  • Manufacturing
  • Microsoft
  • Mimecast
  • Networking
  • News
  • Newsletters
  • Other News
  • Retail
  • Sophos
  • Watchguard

pavilion logo small

A leading IT infrastructure solution and support provider that has been delivering flexible and modular solutions and consultancy to businesses across the UK since 1988.

GET IN TOUCH

  • General Enquiries: +44 (0)1273 834 000
  • Support Desk: +44 (0)1273 834 433
  • Email: info@pav.co.uk
  • PAV I.T. Services
  • The Old Corn Mill, Bullhouse Mill
  • Lee Lane, Millhouse Green
  • Sheffield S36 9NN
  • View on Google Maps
  • About Us
    • Careers
    • Our Green Credentials
    • Privacy Policy
  • IT Certainty
    • Legal and Accountancy
    • Manufacturing Sector
    • Retail Sector
    • Case Studies
    • Customer Testimonials
  • Services
    • Backup and Disaster Recovery
    • IT Support Monitoring
    • Project Delivery
    • Cloud Services
    • Application Packaging
    • Pavilion Service Credits
  • News & Events
    • BLOG
    • Events
    • Newsletters
    • News
  • Technology Solutions
    • Communication and Collaboration
    • Modern Workspaces
    • Data and Governance

Pav IT © 2022 All rights reserved.

  • GET SOCIAL
TOP