In the course of researching phishing for our next awareness module, I Googled into a 2017 cybercrime report. It makes numerous dire predictions (such as "cybercrime will cost the world in excess of $6 trillion annually by 2021") and is stuffed to the gunnels with outrageously scary statistics (using "1,300 percent", for example, rather than a mere thirteen times).
While reading and evaluating the credibility of the report, I found myself strangely distracted by page 9 on "security awareness training":
"Cybersecurity Ventures expects 2018 to be the Year of Security Awareness Training — the breakthrough year when organizations globally take the (financial) plunge and either train their employees on security for the first time or doubledown on more robust and ongoing security awareness programs. Global spending on security awareness training for employees is predicted to reach $10 billion by 2027, up from around $1 billion in 2014. Training employees how to recognize and defend against cyber attacks is the most under spent sector of the cybersecurity industry. While the annals of hacking are studded with tales of clever coders finding flaws in systems to achieve malevolent ends, the fact is most cyber attacks begin with a simple email. More than 90 percent of successful hacks and data breaches stem from phishing, emails crafted to lure their recipients to click a link, open a document or forward information to someone they shouldn’t. Training employees on how to recognize and react to phishing emails and cyber threats may be the best security ROI. ... Employee training may prove to be the best ROI on cybersecurity investments for organizations globally over the next 5 years."
That's almost the entire written content of the security awareness section. Those strident assertions (e.g. about the 'breakthrough year', and training being 'the most under spent sector') might as well have been plucked out of thin air.
The report's author, Cybersecurity Ventures, immodestly describes itself as "the world’s leading researcher and publisher covering the global cyber economy". Gosh. The commercial sponsor, Herjavec Group, tells us "Information Security Is What We Do. Full Stop." ... then continues.
Ever the cynic, I wonder if the report was written in such extreme terms simply in order to be quoted incessantly - and, yes, blogged about. Much as I would love to believe their claims about the meteoric rise of security awareness this year, somehow I doubt it will be much different to every other year. Despite the best efforts of awareness and training providers, I see no evidence of a massive change of heart. Yet. Unfortunately.
What we need is a more effective awareness campaign ... about the value of security awareness. Ironic really.