More and more, CIO’s and IT Managers are starting to understand the importance of training employees in cyber-security. Most companies train their employees so that they know how to act in case of a fire, and some industries even provide training on how to proceed in case of a robbery. So why do companies overlook the importance of training them on how to react to cyber-threats?

Complacency is dangerous! Hackers will try to breach your security to access your company’s sensitive data, and they will target the weakest point: your employees.

Cyber-criminals aim to hit. The criminals used to phish with large nets in the big “Internet-sea”, hoping that they will catch a few fools. Nowadays, phishing and spear phishing emails are designed to be effective, and to get results. Hackers know that without proper and regular training, employees will fall for their scams, not just once, but repeatedly.

Several factors lead your employees to open the gates to security breaches:

  • The majority of employees can’t spot phishing emails
  • They will probably click on fraudulent links
  • They will most certainly fail to report the breach, since they are not aware it happened
  • If you provide only one session of cyber-security training, there is a good chance they will not remember what they have learnt at the most critical time.

It’s also important not to forget the basics:

  • When each and every one of us sees a link, something deep inside compels us to click on it; it’s just how we are programmed to react to the blue underlined text: click, click, click!
  • Busy days and a fast-paced work environment mean we don’t look twice at our inboxes; we often automatically click on links without even blinking or thinking twice.

You may have a state-of-the-art security plan, but it will be severely crippled if you don’t include one of your most valuable assets in it: your employees. Correctly trained, they can become one of the most effective shields against cyber-threats that target your business.

To illustrate our point, look at the recent US Postal Service as an example. To avoid any new, major data-breaches, like the one they experienced last year (which caused the exposure of personal information for more than 800,000 current and former employees), the agency decided to phish its own employees in order to test their reaction to a new scam. The results speak for themselves:

Of the 3,125 postal employees tested:

  • 25% clicked on the supposedly malicious link, sent via the fake phishing email
  • 93% did not report the suspicious email to the appropriate department, which is a violation of their internal policy

Note: this figure comes from the fact that 96% of the tested postal employees wouldn’t know about that above policy, since they hadn’t completed the agency annual information security training

The lack of training is most definitively a key factor in the failure to recognise and act effectively against phishing emails.