SANS Institute, the leading provider of cybersecurity training, has released the SANS 2023 Security Awareness Report®, titled ‘Managing Human Risk.’ With cyber threats becoming increasingly sophisticated, especially through AI-powered attacks such as phishing, vishing, and smishing, understanding and managing human cyber risks have become crucial. The report, based on insights from nearly 2,000 participants across 80 countries, highlights the escalating stakes in human cyber risks, especially considering that 20% of organizations globally reported security incidents involving remote workers in the past year.
Lance Spitzner, SANS Security Awareness Director and co-author of the report, emphasized the growing importance of the human element in cybersecurity. He stated, The digital world is expanding rapidly, and with it, the human element of cybersecurity becomes ever more important as it evolves as a primary target for cyber threats globally. The report is designed to guide organizations in understanding and proactively managing human cyber risks by providing data-driven insights and practical approaches.
One of the key findings of the report is the identification of the top human risks, which include phishing, vishing, and smishing attacks, along with risks related to passwords and authentication. The challenge of fostering a security culture for effective detection and reporting is also highlighted, as well as the risk of IT admin misconfigurations, especially in complex cloud environments.
The report also sheds light on the perspective of leadership regarding security awareness. It reveals that security awareness programs are often considered part-time commitments within organizations. In fact, around 70% of security awareness practitioners dedicate only half or less of their working time to these programs. This finding underscores the ongoing challenge of elevating the importance of continuous cybersecurity awareness in day-to-day organizational operations.
Interestingly, the report indicates that professionals specializing in human risk management earn up to 5% more than their peers in broader security roles, signaling an increasing demand for these skill sets in the industry.
To increase the success of security awareness programs, the report suggests several key action items. It advises speaking in terms of risk to change the perception that security awareness is merely a compliance effort. By focusing on human risk management, organizations can align their programs with strategic security priorities, gain leadership buy-in, and resonate with security teams. Additionally, the report emphasizes the importance of leadership support and dedicating time to collect metrics about the program’s impact and value.
Another notable recommendation is to address the imbalance between technical security and human-focused security. While organizations often prioritize technical security, the human side is often overlooked, leaving the workforce vulnerable to cyberattacks. To bridge this gap, the report suggests a starting point of a 10-to-1 ratio of technical to human-focused security professionals.
Spitzner emphasized the need for a shift from traditional compliance-focused training to more effective approaches. The traditional model of yearly compliance-focused training is inadequate in today’s cyber threat landscape, so we’ve included practical, actionable advice throughout the report, he stated. The report aims to equip organizations with the necessary tools to improve their human risk management strategies and ensure proactive investments in personnel, resources, and tools to address the human dimension of cybersecurity risks effectively.
By providing critical data-driven insights and actionable steps, the SANS 2023 Security Awareness Report® ‘Managing Human Risk’ serves as a compass for organizations navigating the complex landscape of human cyber risks. It empowers security professionals to mature their awareness programs, advance their careers, and benchmark their programs globally using the Security Awareness Maturity Model®. To access the full report and benchmark your program against industry standards, download the SANS 2023 Security Awareness Report® Managing Human Risk.
