Published September 2020

Executive summary

The goal of any corporate security infrastructure is to protect corporate data, access to on-premises and cloud-based systems, various types of sensitive information like login credentials and customer data, and even the physical assets used to manage networks and endpoints.

The conventional method of accomplishing the objective of securing these assets has been the deployment of various types of security hardware, software and cloud services, including firewalls, endpoint detection and response solutions, anti-virus software, secure email gateways, web application firewalls, and a host of other solutions. Underscoring just how important this approach has been is the fact that at least 2,336 vendorsi of these types of solutions currently operate worldwide, with new entrants joining the market continually.

However, cybersecurity technology can go only so far in protecting an organization. Because bad actors increasingly target users of corporate systems and services, these users must be adequately equipped to deal with a growing variety of threats directed at them, sometimes specifically at their role within the organization. Consequently, good security awareness training is essential in protecting the organization from security threats and the damage they can cause. But the goal of security awareness training should be the development of fundamental change in users – change in the way they think about security – that will translate into the development of a robust security culture.

Includes both our white paper and the associated survey report.

Request a copy

How are bad actors exploiting the COVID-19 crisis through the use of innovative techniques and in the sheer volume of the threats they’re sending? What are some new ways that cyber criminals are taking advantage of this crisis? What might we expect to see over the next couple of months and how can we prepare for them?

Join us for this discussion with Stu Sjouwerman, CEO of KnowBe4 as we explore these and other questions about dealing with human security during times of crisis.

Sponsored by Cofense, DomainTools, Proofpoint and Spamhaus Technology.

Executive Summary

Cyber security is an ongoing battle between sophisticated and well-funded bad actors and those who must defend corporate networks against their attacks. The bad news is that the latter are typically not winning. A recent Osterman Research survey found that while most organizations self-report that they are doing “well” or “very well” against ransomware, other types of malware infections, and thwarting account takeovers because of the significant emphasis placed on these threats, they are not doing well against just about every other type of threat. These include protecting data sought by attackers, preventing users from reaching malicious sites after they respond to a phishing message, eliminating business email compromise (BEC) attacks, eliminating phishing attempts before they reach end users, and preventing infections on mobile devices.

This missing component for most organizations is the addition of robust and actionable threat intelligence to their existing security defenses, which can be segmented into four subcategories:

1. Strategic (non-technical information about an organization’s threat landscape)
2. Tactical (details of threat actors’ tactics, techniques and procedures)
3. Operational (actionable information about specific, incoming attacks)
4. Technical (technical threat indicators, e.g., malware hashes)

The use of good threat intelligence can enable security analysts, threat researchers and others to gain the upper hand in dealing with cybercriminals by giving them the information they need to better understand current and past attacks, and it can give them the tools they need to predict and thwart future attacks. Moreover, good threat intelligence can bolster existing security defenses like SIEMs and firewalls and make them more effective against attacks. Threat intelligence plays a key role in proactive defense to ensure that all security programs are relevant to the fast-evolving threat landscape. This is particularly valuable in security awareness training to ensure users are familiar with known threats.

Request a Copy

Sponsored by CybeReady, Infosec, KnowBe4 and Mimecast

Executive Summary

Technology-based security solutions like firewalls, endpoint detection and response solutions, secure email gateways, desktop anti-virus, cloud-based malware and spam filtering are essential elements of a security infrastructure. However, too many decision makers neglect another important element that’s necessary to keep networks, data, applications, and financial resources safe: the human beings who interact with them.

Security awareness training is designed to bolster users’ ability to recognize threats like phishing attempts, unusual requests that purport to be from their company’s CEO, malicious advertising on web pages, and a host of other threats that are designed to trick users into doing something that can wreak havoc within an organization. Users who are well trained on security issues will be more skeptical and more careful about opening emails, clicking on social media links, or visiting web pages without first checking for clues about their validity.

This white paper reviews the results of an in-depth survey of organizations conducted by Osterman Research during May and June 2019. This paper discusses the financial justification for deploying a robust security awareness training program and demonstrates the significant return-on-investment (ROI) that can result.

Request a Copy

On this episode of the CyberSpeak with InfoSec Institute podcast, Michael Osterman, president and analyst at Osterman Research, shares security awareness tips and strategies that organizations can implement immediately. Lisa Plaggemier, chief evangelist at InfoSec Institute, joins in the discussion, which is moderated by InfoSec Institute’s Camille DuPuis.

A new study from Osterman Research shows while most companies have a security training and awareness program, the majority of teams running those programs have very low confidence in their effectiveness. In fact, just 45% of security professionals believe their users can recognize phishing attempts, largely because they feel their training is inadequate.

Listen to the podcast

More than 90% of security breaches involve human error, with careless mistakes ranging from lost or stolen laptops to clicks on malicious links in phishing emails. To change security behavior, employees need to know what to do, care enough to improve and then do what’s right when it matters. Yet people are creatures of habit and can be resistant to change in their daily lives.

An effective – and we stress effective – security awareness program will change behavior and lower risk. Grab a coffee and watch this on-demand webinar at your convenience. You’ll hear from Michael Osterman, President, Osterman Research Inc. and Michael Madon, SVP & GM, Mimecast Security Awareness Products on the state of the industry. You’ll walk away with strategies to change employee behavior and make your company more secure with an effective awareness training program.

Register to watch the recording

• Results of a Survey on Archiving and Defensible Deletion Practices (September 2015)
• Archiving, Migration and Compliance in Microsoft Office 365 (July 2015)
• Survey Report on Mobile Archiving (May 2014)
• Best Practices for Email, Web and Social Media Security (January 2014)
• Results of a Survey on Cloud Computing (November 2013)
• Results of a Survey on Microsoft Office 365 (July 2013)
• Security Awareness Training Effectiveness Report (July 2013)
• Managing BYOD in Corporate Environments (June 2013)
• Results of a Survey on Encryption in Mid-Sized and Large Organizations (April 2013)
• Results of a Survey With Email Users (April 2013)
• Results of a Survey on the Use of Email, Social Networking and Other Applications (April 2010)
• Results of a Survey on 2010 Messaging Issues (February 2010)
• Results of an End User Survey on the Use of Communications Tools (September 2009)
• The Importance of Social Networking Tools Relative to Conventional Tools (May 2009)
• Computing Activities in Large and Small Organizations (May 2009)
• The Impact of the Economy on 2009 Spending Plans (January 2009)
• Results of an End User Survey on Communication Issues (October 2008)
• Results of Two End-User Surveys on Email, Attachment and Password Management Issues (June 2008)
• Results of Two End-User Surveys on Messaging and Productivity Issues (April 2008)
• Results of a Survey on Messaging and Application Issues (August 2007)
• A Survey of Email Users (January 2007)

Request a Copy