In light of the increasing sophistication and global reach of AI-driven phishing, vishing, and smishing attacks, effectively managing human cyber risks has become more crucial than ever. The SANS Institute, renowned for its cybersecurity training, proudly announces the release of the SANS 2023 Security Awareness Report®, titled ‘Managing Human Risk.’ Drawing from the experiences of nearly 2,000 participants from 80 countries, this report emphasizes the escalating importance of human cyber risks, especially with 20% of organizations worldwide encountering security incidents involving remote workers in the past year.
Lance Spitzner, the SANS Security Awareness Director and co-author of the report, highlights the growing significance of the human element in cybersecurity as a primary target for global cyber threats. He explains that the report acts as a compass, guiding organizations not only to comprehend but also to proactively manage human cyber risks. By analyzing data from thousands of participants worldwide, the report reveals patterns and practical strategies empowering organizations to transform their human risk landscapes.
The report offers a comprehensive analysis and actionable steps for security professionals to enhance their awareness programs, advance their careers, and benchmark their programs globally using the Security Awareness Maturity Model®. A significant finding indicates that mature security programs, backed by robust teams and leadership support, are characterized by having at least three full-time employees dedicated to their Security Awareness Teams.
Key Findings:
1. Top Human Risks: The primary threats include Phishing/Vishing/Smishing attacks; Password/Authentication risks mitigated by advanced tools; the challenge of fostering a security culture for effective Detection/Reporting; and the risk of IT Admin Misconfigurations, especially in complex cloud environments.
2. Leadership Perspective: Despite the importance of continuous cybersecurity awareness, security awareness remains predominantly viewed as a part-time commitment within organizations. A notable 70% of security awareness practitioners dedicate half or less of their working time to it this year, indicating the ongoing challenge of elevating its importance in daily operations.
3. Compensation: Professionals specializing in human risk management now earn up to 5% more than their peers in broader security roles, indicating the increasing demand and value for these skill sets in the industry.
Key Action Items to Increase Program Success:
1. Talk in Terms of Risk: Shift the perception of security awareness from a mere compliance effort to a human risk management endeavor. By aligning with strategic security priorities and demonstrating how it reduces human risk, gain leadership buy-in and support from the Security Team.
2. Leadership Support: Regularly communicate the impact and value of your Security Awareness Program to leadership through metrics, key performance indicators, and success stories.
3. Team Size: Address the imbalance between technical security and human-focused security by investing in human-focused professionals. A recommended starting point is a 10-to-1 ratio of technical to human-focused security professionals.
Spitzner emphasizes that traditional yearly compliance-focused training is inadequate in today’s cyber threat landscape. The report offers practical and actionable advice to tackle the top human risks, secure adequate resources and budget, and improve human risk management strategies.
To access the full report and benchmark your program against industry standards, download the SANS 2023 Security Awareness Report® “Managing Human Risk” here.
