75% of Executives Cite Phishing as Most Significant Security Threat to Businesses

Staff Report

Monday, September 30th, 2019

CybeReady, the only autonomous cybersecurity training platform for enterprises, released "The State of Security Awareness Training", a new white paper highlighting executive concerns with phishing, business email compromise (BEC) and the unsatisfactory results organizations are experiencing despite an increase in investment and effort. This paper is based on findings from the Osterman Research white paper, "The ROI of Security Awareness Training".

According to Osterman Research's recent study, which surveyed 230 respondents at organizations with a median of 1,006 employees from May-June 2019, phishing attacks topped the list of concerns for decision makers with nearly 75 percent of executives citing phishing emails as the most significant threat. The same group of executive's regard training as a better way to deal with this threat. Despite all this, approximately 60 percent of users receive training about less than once a quarter – meaning organizations aren't being adequately trained even with current solutions.

"Security awareness training should be a key element of any organization's security posture. However, there is currently a gap in the awareness training market which needs to be filled with more effective solutions," said Michael Osterman, founder of Osterman Research. "Just like the right technology, such as firewalls or endpoint detection and response solutions, can protect an organization's data and financial assets from theft or destruction, so can the right employee training. A good security awareness training program can provide a significant ROI and pay for itself in a relatively short time."

Key takeaways from the CybeReady paper include:

75% of security decision makers are highly concerned with phishing attacks

58% of decision makers view awareness training as superior to technology solutions when dealing with phishing

Awareness training budgets are increasing faster than security budgets

Employees receive additional training minutes, yet most awareness training programs fail to demonstrate change in employee behavior towards phishing attacks

Better awareness program should include continuous, data-driven training with adaptive and customized capabilities

A more effective training program does not mean more dollars or training time, but rather a training program that engages employees without taxing security teams

"After failing a phishing simulation, employees spend approximately 30 seconds to understand what they did wrong," said Shlomi Gian, CEO of CybeReady. "An effective training program should run continuously, be focused and memorable. The recently released Osterman Research report is another piece of evidence that existing programs do not address this need and enterprises keep spraying and praying."