Cybersecurity Awareness Is Not Enough

This post was originally published in May 2020 and has been updated with new content.

If it seems like cybercriminals are always one step ahead of cybersecurity firms, it’s because they are. Cybersecurity spending is expected to reach $133.8 billion by 2022, while the cybersecurity awareness market is expected to reach $10 billion by 2027. The results of such spending, however, are not reflected in our current reality. Cybercrime continues to grow, attacks are becoming more sophisticated, and both people and technology are failing to keep up.

Thirty-seven billion records were breached in the in the US in 2020, while ransomware increased 288 percent in just the first half of 2021. And while 50 percent of CEOs and other c-suite executives view cybersecurity as a top priority, only 26 percent of employees agree.

The collective losses of recent cyberattacks are insurmountable, and the prospect of the situation getting worse is all but guaranteed. Cybersecurity awareness is a worthwhile investment, but it isn’t cybersecurity.

The different between cybersecurity awareness and cybersecurity vigilance

Cybersecurity awareness training wisely focuses on the human element of cyberattacks—the mistakes that open the doors to a business’s systems and data. In phishing training, we’re taught to choose difficult passwords, change them frequently without ever sharing them, never click on a phishing link, and follow a variety of other best practices. In a perfect world, we would follow these rules.

In the imperfect world where most of us live, these best practices are easily forgotten and frequently ignored. For businesses that provide training, sessions often happen on an annual basis—plenty of time for employees to forget everything they learned. Additionally, in a 12-month time span, cybercriminals will advance their methods in ways that make the prior training sessions obsolete.

Most training programs teach the do’s and don’ts of cybersecurity and raise user awareness about the issues, but they do not guarantee that employees will go about their workday—months from now—and give any consideration to what they’ve learned. That requires vigilance. The difference being that awareness is knowing a cyberattack is possible, while vigilance is anticipating it and acting quickly and responsibly when it happens.

The question then is: How do you shift your business’s mindset from cybersecurity awareness to cybersecurity vigilance?

Technology is only one part of the solution

Technology moves fast. Hackers move faster. While most businesses spend considerable amounts of money to keep their technology up to date, the game of cat and mouse between cybercriminals and cybersecurity companies is endless. A software patch is released. A new vulnerability is exposed. A ransomware decryption key is released. An improved strain follows. A phishing email is blocked. It reappears days later sent by a new IP address. Technology is a start, but technology isn’t cybersecurity.

No cybersecurity solution is capable of blocking all threats. This makes reinforcements necessary, and it comes in the form of people—sometimes called the weakest link in cybersecurity. In reality, they’re your last line of defense when technology fails, and it’s why hackers consistently attempt to manipulate employees into making mistakes.

Creating a vigilant community

People-based cyberattacks grew more than any other type over the last year, according to Accenture, with malware and ransomware attacks growing by double digits. In the 2021 Data Breach Investigations Report, Verizon found that social engineering (phishing and spear phishing) were responsible for 85 percent of credential compromise in 2020, while phishing was the number one form of social attack. If hackers are going to come after your employees, it will be via one of the above threats.

Although the rate of employees clicking on phishing emails has gone down thanks to phishing awareness training, the rate of reporting remains dismal. Only 17 percent of phishing emails are reported to IT, according to Verizon. This contradiction reveals that while employees might be better at recognizing phishing emails, they might have no understanding of how anti-phishing technology works and how critical reporting is to the efficacy of a solution.

As part of cybersecurity awareness training, users should be educated about how anti-phishing technology works to protect them and how it can be improved with their help. For example, reporting a phishing email to IT sets in motion a string of events that your users likely don’t understand.

An email filter that missed a phishing email needs fine-tuning to recognize the email if a hacker attempts to redeliver it, which they probably will. Simply adding an IP to a blacklist is not enough. New rules need to be written and AI algorithms, which rely on inputs from people, need additional training. If a user deletes the email rather than reports it, neither of those mitigating actions can take place. The email will come back, and someone will eventually click on it.

The best way to ensure it never returns is to give the AI engine the data it needs to improve—a feedback loop between the user and the AI. The result is a more intelligent, autonomous engine that will make the right decisions and correct itself when it makes mistakes.

Training your users to understand the technology designed to protect them teaches your users the limits of cybersecurity when people are the target and their role in strengthening it. Knowing they are actively involved in the evolution of the technology and experiencing the benefits of the improvements is what encourages users to report. In the same way cybersecurity experts form communities—often composed of competing vendors—you’re creating a community of reporters who are actively involved in protecting your business and, ultimately, their own livelihoods.

Moving beyond awareness and toward vigilance also requires reinforcing cybersecurity training when a user commits an error that could lead to a breach. Clicking on a phishing link, for example, is a serious error that could lead to significant consequences. Providing a user with training at the time of click corrects the bad behavior, reinforces best practices, and creates habit-forming vigilance.


Are your users still clicking on phishing emails? Learn how Vade Threat Coach automates user awareness training at the moment of need.

View the infographic ›