SURVEY REPORT SPON. Security Awareness Training Effectiveness Report. Results of a Survey of KnowBe4 Customers and Non-Customers. Published July 2013

Similar documents
SURVEY REPORT SPON. Small and Medium Business: IT/Security Priorities and Preferences. Published September An Osterman Research Survey Report

SURVEY REPORT SPON. Identifying Critical Gaps in Database Security. Published April An Osterman Research Survey Report.

SURVEY REPORT PON SPON. Results of a Survey Conducted for Electric Cloud. Published January An Osterman Research Survey Report.

How To Calculate Total Cost Of Ownership (Tco) For Systems

The Growing Problem of Outbound Spam

Emerging Trends in Fighting Spam

EXECUTIVE BRIEF SPON. File Synchronization and Sharing Market Forecast, Published May An Osterman Research Executive Brief

Using SaaS to Reduce the Costs of Security

WHITE PAPER SPON. Do Ex-Employees Still Have Access to Your Corporate Data? Published August 2014 SPONSORED BY. An Osterman Research White Paper

Cloud-Client Enterprise Security Impact Report Increased Protection at a Lower Cost

The Cost Effective Migration to Integrated Hybrid SaaS Security

EXECUTIVE BRIEF PON SPON. The Cloud Application Explosion. Published April An Osterman Research Executive Brief. sponsored by.

WHITE PAPER SPON. Dealing with Data Breaches and Data Loss Prevention. Published March An Osterman Research White Paper.

Should You Install Messaging Security Software on Your Exchange Server?

Total Cost of Ownership - SharePoint Security

WHITE PAPER SPON. Information Security Best Practices: Why Classification is Key. Published November 2011 SPONSORED BY

WHITE PAPER SPON. A Cloud-Client Architecture Provides Increased Security at Lower Cost. Published January 2012 SPONSORED BY

WHITE PAPER SPON. Achieving Rapid Payback With Mobile Device Management. Published November An Osterman Research White Paper.

EXECUTIVE BRIEF SPON. Third-Party Archiving Solutions Are Still Needed in Exchange 2010 Environments. Published March 2012

WHITE PAPER. Using DNS RPZ to Protect Against Web Threats SPON. Published June 2015 SPONSORED BY. An Osterman Research White Paper.

Microsoft Lync Server 2010 and the Unified Communications Market Key Considerations for Adoption, Deployment and Ongoing Management

WHITE PAPER SPON. What is the Total Value of Ownership for a Hosted PBX? Published September An Osterman Research White Paper.

Realizing the Cost Savings and Other Benefits from SaaS Archiving

Why You Need to Consider Virtualization

WHITE PAPER. Taking a Strategic Approach to Unified Communications: Best of Breed vs. Single Vendor Solutions SPON. Published February 2013

EXECUTIVE BRIEF SPON. Third-Party Archiving Solutions Are Still Needed in Exchange 2013 Environments. Published April 2015

Skybox Security Survey: Next-Generation Firewall Management

The Benefits of Unified Communications

WHITE PAPER SPON. A Comparison of and Collaboration Platforms. Published October 2012 SPONSORED BY. An Osterman Research White Paper

WHITE PAPER SPON. What is the Total Value of Ownership for a Hosted PBX? Published September 2012 SPONSORED BY. An Osterman Research White Paper

WHITE PAPER SPON. Archive Migration: Opportunities and Risks. Published February An Osterman Research White Paper.

WHITE PAPER SPON. The Cost and ROI Advantages of IronKey Workspace W300 for Windows to Go. Published May 2013 SPONSORED BY

WHITE PAPER PON SPON. Comparing the Cost of Alt-N MDaemon and Exchange. Published July 2013 SPONSORED BY. An Osterman Research White Paper

Top 10 Webinar Best Practices

WHITE PAPER SPON. The Cloud Advantage: Increased Security and Lower Costs for SMBs. Published August 2012 SPONSORED BY

WHITE PAPER SPON. The Benefits of Vendor Consolidation and Centralized IT Management. Published June 2014 SPONSORED BY

Focusing on Value-Added Services in a Hosted Messaging Environment

Current and Archiving Practices in the Enterprise an Osterman Research research summary

WHITE PAPER SPON. Encryption is an Essential Best Practice. Published August 2014 SPONSORED BY. An Osterman Research White Paper.

WHITE PAPER SPON. Pain Free Unified Communications and Collaboration. Published May 2011 SPONSORED BY. An Osterman Research White Paper.

THE BENEFITS OF A CLOUD BASED PBX WITH HOSTED LYNC. By Mike Osterman President Osterman Research

Solving Key Management Problems in Lotus Notes/Domino Environments

The Cost Benefits of a Hybrid Approach to Security

WHITE PAPER SPON. Managing Content in Enterprise Social Networks. Published August 2014 SPONSORED BY. An Osterman Research White Paper.

WHITE PAPER SPON. Making File Transfer Easier, Compliant and More Secure. Published February 2012 SPONSORED BY!!! An Osterman Research White Paper

How To Choose Between Onpremises Or Cloud Based

WHITE PAPER SPON. Why the Cloud is Not Killing Off the On-Premises Market. Published April 2011 SPONSORED BY. An Osterman Research White Paper

A Comparative Analysis of Leading Anti-Spam Solutions

WHITE PAPER SPON. Making File Transfer Easier, Compliant and More Secure. Published February 2012 SPONSORED BY!!! An Osterman Research White Paper

Solving.PST Management Problems in Microsoft Exchange Environments

WHITE PAPER SPON. The Need for IT to Get in Front of the BYOD Problem. Published October 2012 SPONSORED BY. An Osterman Research White Paper

WHITE PAPER SPON. What is the Total Value of Ownership for a Hosted PBX? Published December 2014 SPONSORED BY. An Osterman Research White Paper

WHITE PAPER SPON. Business-Class File Sharing Best Practices SPONSORED BY. An Osterman Research White Paper. sponsored by.

WHITE PAPER SPON. The Need for Improved Software Quality. Published January 2015 SPONSORED BY. An Osterman Research White Paper.

SPEAR PHISHING AN ENTRY POINT FOR APTS

THE VALUE OF VOICE-ENABLING OFFICE 365. By Mike Osterman President Osterman Research

Achieving Greater TCO Benefits Using a Secure Workspace Solution: Comparing TCO for Three Telework Approaches

Keys to Conducting a Successful Webinar

WHITE PAPER SPON. Considerations for Archiving in Exchange Environments. Published July 2013 SPONSORED BY. An Osterman Research White Paper

WHITE PAPER SPON. Managing SharePoint Growth: Strategies for Planning and Governance. Published October An Osterman Research White Paper

Archiving for Compliance and Competitive Advantage

Education as a defense strategy. Jeannette Jarvis Group Program Manager PSS Security Microsoft

CLOUD-BASED PBX: A CLEAR VALUE FOR BUSINESSES. By Mike Osterman President Osterman Research

A Review of MessageSolution Enterprise Archive and Enterprise File Archive

The Need for a Better Way to Send Files and Attachments an Osterman Research white paper sponsored by

43% Figure 1: Targeted Attack Campaign Diagram

Survey: Web filtering in Small and Medium-sized Enterprises (SMEs)

Osterman Research Executive Summary

The 5 Best Practices For Archiving

When attackers have reached this stage, it is not a big issue for them to transfer data out. Spencer Hsieh Trend Micro threat researcher

Advanced Security Methods for efraud and Messaging

Key Factors to Consider in Improving Security

Reference Architecture: Enterprise Security For The Cloud

Osterman Research Executive Summary

WHITE PAPER SPON. Improving the Compliance Management Process. Published April 2014 SPONSORED BY. An Osterman Research White Paper.

100 Pips A Day Forex Domination System

DISCLAIMER AND NOTICES

White Paper. Why Should You Archive Your With a Hosted Service?

Enterprise Archiving: Market Problems, Needs and Trends

WHITE PAPER SPON. How SMBs Can Unleash the Power of the Cloud. Published September 2011 SPONSORED BY. An Osterman Research White Paper.

Using Web Security Services to Protect Portable Devices

McAfee Phishing Quiz. Partner Enablement Guide

WHITE PAPER SPON. Best Practices in , Web and Social Media Security. Published January 2014 SPONSORED BY. An Osterman Research White Paper

WHITE PAPER SPON. Mobile Devices in the Enterprise: MDM Usage and Adoption Trends. Published July 2012 SPONSORED BY. An Osterman Research White Paper

Securing Endpoints without a Security Expert

The webinar will begin shortly

WHITE PAPER SPON. Addressing Information Governance Challenges. Published March 2014 SPONSORED BY. An Osterman Research White Paper.

Configuring and Monitoring Event Logs

WHITE PAPER SPON. Why Should You Encrypt and What Happens if You Don t? Published July An Osterman Research White Paper.

Cyber Security. Securing Your Mobile and Online Banking Transactions

Defending Against. Phishing Attacks

WHITE PAPER SPON. Managing Growth and Driving Down Costs for Microsoft SharePoint. Published October An Osterman Research White Paper

Osterman Research Executive Summary

Overconfident Employees and the Lack of Security Tools Lead to Risky Business

Learn about each tool in parental controls and find out how you can use them to secure you and your family.

SIMULATED ATTACKS. Evaluate Susceptibility Using PhishGuru, SmishGuru, and USBGuru MEASURE ASSESS

What SMBs Don t Know Can Hurt Them Perceptions vs. Reality in the New Cyber Threat Landscape

WHITE PAPER SOLUTION CARD. What is Fueling BYOD Adoption? Mobile Device Accountability and Control

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Microsoft Phishing Filter: A New Approach to Building Trust in E-Commerce Content

Transcription:

SURVEY REPORT Security Awareness Training Effectiveness Report Results of a Survey of An Osterman Research Survey Report sponsored by Published July 2013 SPON sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington 98010-1058 USA Tel: +1 253 630 5839 Fax: +1 253 458 0934 info@ostermanresearch.com www.ostermanresearch.com twitter.com/mosterman

EXECUTIVE SUMMARY Anti-phishing solutions are critical in protecting an organization from the infiltration of phishing, spearphishing, whaling and other email- and Web-based attacks that can create financial loss, theft of intellectual property and other serious problems. However, no technology-based solution can overcome the problems caused by users who mistakenly or carelessly click on suspect links and thereby introduce malware into the corporate network. Consequently, users remain the first level of a layered defense system in protecting an organization from these attacks and so must receive appropriate Security Awareness Training in order to recognize phishing characteristics and what to do when confronted with them. Our research demonstrated that KnowBe4 s Security Awareness Training system provides: A significant and positive impact in the confidence that security-focused IT professionals have about their employees ability to recognize and thwart a phishing attack. A much more positive view about improvements in the state of overall email security at the organizations that have implemented it. OVERVIEW In order to understand the efficacy of various types of Security Awareness Training, Osterman Research conducted two market research surveys: one survey (135 respondents) was conducted with the Osterman Research survey panel, while the other (113 respondents) was conducted with customers of KnowBe4 s Security Awareness Training solutions. The online surveys were conducted during July 2013. Only decision makers and/or influencers familiar with their organization s security management and/or Security Awareness Training were permitted to complete the survey. KEY FINDINGS FROM THE RESEARCH FIVE APPROACHES TO SECURITY AWARENESS TRAINING There are five basic types of Security Awareness Training that organizations can employ to educate their users about phishing and related types of attacks: The Do Nothing Approach The organization conducts no Security Awareness Training. There are five basic types of Security Awareness Training that organizations can employ to educate their users about phishing and related types of attacks. The Break Room Approach Employees are gathered for a lunch or special meeting and told what to avoid when surfing the Web, in emails from unknown sources, etc. The Monthly Security Video Approach Employees view short security awareness training videos to learn how to keep the network and organization safe and secure. The Phishing Test Approach Certain employees are pre-selected, sent a simulated phishing attack, and then IT determines if they fall prey to the phishing attack. The Human Firewall Approach Everyone in the organization is tested, the percentage of employees who are prone to phishing attacks is determined, and then everyone is trained on major attack vectors. Simulated phishing attacks are sent to all employees on a regular basis. 2013 Osterman Research, Inc. 1

Not surprisingly, our research found that KnowBe4 customers are most likely to use the Human Firewall Approach given that this approach is the one promoted by the company. Non-customers, on the other hand are most likely to use the Break Room Approach or to do nothing, as shown in the following figure. Security Awareness Approaches in Use MALWARE INFILTRATION Our research found that KnowBe4 customers have had a slightly higher level of malware infiltration over the past 12 months a mean of 7.4 infiltrations versus 6.2. We believe this is the result of the fact that organization will be more likely to implement some sort of specialized Security Awareness Training for its employees if it has had a serious problem with malware infiltration, for example as a result of phishing attacks. Consequently, we believe that the higher level of malware infiltration is a key motivator for adoption of systems like KnowBe4 s, not a result of their use. The fact that 42% of KnowBe4 s customers in our survey are banks or credit unions (as opposed to 17% in the control group) is also probably contributing to this difference, since this is the industry with the highest percentage of phishing attacks. There is a significant difference between KnowBe4 customers and non-customers with regard to confidence in employees ability to detect and thwart phishing attacks. BENEFITS OF THE HUMAN FIREWALL APPROACH Our research found that there is a significant difference between KnowBe4 customers and non-customers with regard to confidence in employees ability to detect and thwart phishing attacks. When asked to rate their confidence that all employees are well trained to deal with phishing attacks on a scale of 1 (not confident at all) to 100 (very confident), KnowBe4 customers gave a confidence score 29% higher than noncustomers. Similarly, when non-customers were asked to rate their employees on the same scale with regard to whether or not employees will refrain from clicking on phishing links, KnowBe4 customers confidence score was 40% higher than those of non-customers. 2013 Osterman Research, Inc. 2

Confidence in Employee Training and Behavior 1 (No Confidence at All) to 100 (Very Confident) We wanted to determine if the fact that non-knowbe4 customers have a much higher rate of doing nothing about Security Awareness Training contributed to the much lower confidence scores for non-customers. However, even when eliminating all of the Do Nothing responses from both the KnowBe4 customer data set and the noncustomer data set, we found only a minor improvement in the confidence scores for each population, as shown in the following figure. Confidence in Employee Training and Behavior Among Organizations That Conduct at Least Some Security Awareness Training 1 (No Confidence at All) to 100 (Very Confident) 42% of KnowBe4 s customers in our survey are banks or credit unions the industry with the highest percentage of phishing attacks. 2013 Osterman Research, Inc. 3

FREQUENCY OF EMPLOYEE TRAINING Our research also discovered that employees at KnowBe4 customers received substantially more exposure to Security Awareness Training than non-customers an average of 40 days per year versus 12 days per year, as shown in the following figure. Of course, this does not imply that employees are investing 2.5 times more workhours in the training process, but merely that there are 2.5 times more days per year during which employees of KnowBe4 customers receive some sort of Security Awareness Training in the form of a simulated phishing attack in their inbox. Frequency of Employee Training IT FOCUS ON SECURITY ISSUES Our research found that the IT departments of both KnowBe4 customers and noncustomers focus nearly the same level of effort on security-related issues. The IT staff of KnowBe4 customers spend 24.4% of their time focused on some sort of security-related issue compared to 22.9% for non-customers. This implies a couple of things: First, that the Security Awareness Training activities of both survey populations have roughly the same level of impact on the time demands of the respective IT departments. In other words, despite the fact that KnowBe4 customers employees receive more days of exposure to Security Awareness Training, this has minimal impact on the resource demands of the corporate IT department. KnowBe4 customers are nearly three times more likely than noncustomers to find that their phishing problem has gotten better over the past year. Second, that both populations face roughly the same issues with regard to dealing with security-related issues. IS THE PROBLEM GETTING BETTER? Perhaps the most telling result from our research was the discovery that KnowBe4 customers are nearly three times more likely than non-customers to find that their phishing problem has gotten better over the past year, while roughly the same proportion believes it has gotten worse, as shown in the figure below. We interpret the significantly greater proportion of getting better responses to the efficacy of the Security Awareness Training model provided by KnowBe4. 2013 Osterman Research, Inc. 4

Perception of Changes in the Phishing Problem Experienced Over the Past 12 Months SUMMARY KnowBe4 s Security Awareness Training has provided a positive and measurable impact in the organizations that have implemented it. This can be measured in both the confidence level that security-focused IT professionals have in their employees ability not to fall prey to a phishing attack, as well as in the perception about improvements in the phishing problem that organizations have experienced. I am totally pleased with the training. We have just implemented the product and we have had great feedback from the employees. I can't imagine any SMB not wanting it! 2013 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Information Security Officer at a US-based bank Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. 2013 Osterman Research, Inc. 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information