Why Your Business Can't Rely on Employee Cybersecurity Training

The employee cyber security training programs implemented by most large companies don’t reduce the risk of their employees falling for phishing scams. 

That’s the shocking conclusion of recent research evaluating the effectiveness of two common types of cybersecurity training.  

Phishing is a deceptive tactic in which attackers impersonate trusted entities to trick individuals into revealing sensitive information like passwords, credit card numbers, or personal data.  It continues to be the most common form of cyber attack, and leads to the greatest number of cyber infiltrations. 

Testing the Defences 

To test the effectiveness of anti-phishing training, researchers sent 10 different phishing email campaigns to 19,500 employees at UC San Diego Health over an eight month period.  They found that there was no significant relationship between whether an employee had recently completed mandated cybersecurity training and whether they then fell victim to a phishing email. 

Researchers also tested whether sharing anti-phishing information after an employee fell for a phishing scam improved the employee's ability to detect a subsequent phishing attempt. However, once again, they observed very little difference in repeat failure rates. 

In fact, embedded phishing training only reduced the likelihood of an employee clicking on a phishing link by a mere 2%. 

Why training fails 

Research study co-author Grant Ho said a key reason the anti-phishing training isn’t effective is that most employees don’t engage with embedded training materials.  75% of users in the study engaged with embedded training materials for a minute or less, and a third closed embedded training pages immediately, without reading them. 

He recommended that organisations refocus their efforts to combat phishing on technical countermeasures. 

Technical Countermeasures 

One of the first and best lines of defence against phishing is to prevent malware and suspicious links before they can reach employees’ devices.  

At Generic Systems Australia we combine the world’s leading Managed File Transfer solution, GoAnywhere, with Advanced Threat Protection to deliver a proactive, multilayered defence against both external threats and internal data leakage.  

GoAnywhere provides secure encryption, access controls and audit trails for file transfers, while ATP enables your organisation’s email system to automatically detect and prevent phishing links and other malware from entering your organisation. 

Here to Help 

At Generic Systems Australia we have decades of experience helping Australian and New Zealand organisations protect themselves against malware and other cyber attacks. Our Migration Service makes the transition even easier for organisations who prefer to let their team get on with their regular work rather than taking time out to improve their IT plumbing. 

If you’d like a no-cost, no-obligation discussion about how we could help you simply and affordably adopt an advanced MFT and ATP solution, please feel welcome to get in touch with me. 

At Generic Systems Australia, we’re your local experts in Secure Managed File Transfer.