Human vulnerability remains top threat: Report

There is nothing wrong with a company taking this initiative, says Arctic Wolf — as long as it takes the time to develop a high-quality program that reinforces key security concepts at regular intervals. But according to the survey, of the companies with a security awareness program, only 42% use weekly topics and lessons, more than half have a monthly rhythm, and 7% require their employees to complete these lessons only once a year.

Furthermore, only 77% simulate phishing attacks. For the remaining 23%, the programs are based exclusively on lessons or explanations to explain possible phishing emails to their users. This is better than not educating users about how to identify phishing and report phishing attempts, comments training provider Arctic Wolf on the result, but not as effective as the practical approach with simulated phishing emails.

More transparency about security incidents

Another interesting result of the study: When it comes to security incidents, companies have become significantly more transparent. Last year, only 26% of those affected worldwide decided to disclose all or at least some of the information about their incident, but in the current study period two thirds (66%) made this information public. A third (30%) informed only the parties concerned.