The SANS Institute has released its annual Security Awareness Report®, titled ‘Managing Human Risk,’ which highlights the critical importance of understanding and managing human cyber risks in the face of ever-evolving cyber threats. With the increasing sophistication and reach of phishing, vishing, and smishing attacks, the report aims to guide organizations in proactively managing human cyber risks and transforming their risk landscapes.
According to Lance Spitzner, SANS Security Awareness Director and co-author of the report, the digital world’s rapid expansion has made the human element of cybersecurity a primary target for cyber threats globally. The report serves as a compass for organizations to navigate and actively mitigate human risks. By analyzing data from nearly 2,000 participants across 80 countries, the report provides valuable insights and practical approaches to empower organizations in their risk management efforts.
One of the key findings of the report is the identification of the top human risks organizations face. These risks include phishing, vishing, and smishing attacks, which have become increasingly sophisticated. Additionally, managing password and authentication risks, fostering a security culture for effective detection and reporting, and addressing IT Admin Misconfigurations, especially in complex cloud environments, are also major challenges.
The report also sheds light on the perspective of organizational leadership regarding security awareness. According to the findings, security awareness remains largely considered a part-time commitment within organizations, with 70% of security awareness practitioners dedicating only half or less of their working time to it. This highlights the ongoing challenge of increasing the importance of continuous cybersecurity awareness in day-to-day operations.
Moreover, the report reveals that professionals specializing in human risk management earn up to 5% more than their peers in broader security roles. This emphasizes the growing demand and value for skill sets focused on managing human cyber risks in the industry.
To increase program success and mitigate human cyber risks, the report suggests several key action items. One recommendation is to talk in terms of risk and align security awareness efforts with an organization’s strategic security priorities. By demonstrating how effective communications, training, and engagement can reduce human risk, security teams can gain leadership buy-in and motivate the entire organization to manage human cyber risks.
Furthermore, the report emphasizes the importance of leadership support for security awareness programs. It suggests dedicating time each month to collect metrics that showcase the impact and value of the program. By effectively communicating this value to leadership, organizations can ensure ongoing support and investment in security awareness initiatives.
The report also highlights the need to balance technical security with human-focused security. While technical security has been a major focus for organizations, the human side of security has often been overlooked. This can leave the workforce vulnerable to cyberattacks. To address this, the report recommends a starting point of a 10-to-1 ratio of technical to human-focused security professionals to bridge the gap and adequately manage human cyber risks.
In conclusion, the SANS 2023 Security Awareness Report® emphasizes the increasing importance of managing human cyber risks in today’s rapidly expanding digital world. By providing practical insights and actionable steps, the report equips organizations with the necessary tools to improve their human risk management strategies. It urges organizations to proactively invest in personnel, resources, and tools to effectively address the human dimension of cybersecurity risks.
To access the full report and benchmark your organization’s security awareness program against industry standards, you can download the SANS 2023 Security Awareness Report® “Managing Human Risk” here.