Proofpoint closes acquisition of Tessian.

Request a demo
Request a demo
Request a demo
Request a demo
Request a demo

The 7 Deadly Sins of SAT

Tuesday, February 2nd 2021
The 7 Deadly Sins of SAT

Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.

Security Awareness Training (SAT) just isn’t working: for companies, for employees, for anybody. 

By 2022, 60% of large organizations will have comprehensive SAT programs (source: Gartner Magic Quadrant for SAT 2019), with global spending on security awareness training for employees predicted to reach $10 billion by 2027. While this adoption and market size seems impressive, SAT in its current form is fundamentally broken and needs a rethink. Fast. 

There are 7 fundamental problems with SAT today:

1. It’s a tick box

SAT is seen as a “quick win” when it comes to security – a tick box item that companies can do in order to tell their shareholders, regulators and customers that they’re taking security seriously. Often the evidence of these initiatives being conducted is much more important than the effectiveness of them.

2. It’s boring and forgettable

Too many SAT programs are delivered once or twice a year in unmemorable sessions. However we dress it up, SAT just isn’t engaging. The training sessions are too long, videos are cringeworthy, and the experience is delivered through clunky interfaces reminiscent of CD-Rom multimedia from the 90s. What’s more, after just one day people forget more than 70% of what was taught in training, while 1 in 5 employees don’t even show up for SAT sessions.

3. It’s one-size-fits-all

We give the same training content to everyone, regardless of their seniority, tenure, location, department etc. This is a mistake. Every employee has different security characteristics (strengths, weaknesses, access to data and systems) so why do we insist on giving the same material to everybody to focus on?

4. It’s phishing-centric

Phishing is a huge risk when it comes to Human Layer Security, but it’s by no means the only one. So many SAT programs are overly focused on the threat of phishing and completely ignore other risks caused by human error, like sending emails and attachments to the wrong people or sending highly confidential information to personal email accounts.

Learn more about the pros and cons of phishing awareness training. 

5. It’s one-off

Too many SAT programs are delivered once or twice a year in lengthy sessions. This makes it really hard for employees to remember the training they were given (when they completed it five months ago), and the sessions themselves have to cram in too much content to be memorable. 

“You can’t take a 'big bang' approach to data privacy awareness training. To really see employees empowered, you have to constantly reinforce training.”
Ted Crawford CIO at ERG

6. It’s expensive

So often companies only look at the license cost of a SAT program to determine costs—this is a grave mistake. SAT is one of the most expensive parts of an organization’s security program, because the total cost of ownership includes not just the license costs, but also the total cost of all employee time spent going through it, not to mention the opportunity cost of them doing something else with that time. 

“We knock out CBT (computer-based training) for 20 minutes, put a test at the end of it, and we expect ‘Johnny’ to be grateful for having spent that time in the training and to have been thoroughly entertained. … There are three fundamental problems with any awareness campaign. First, it’s often irrelevant to the user. The second; that training is often boring. The third; it takes a big chunk of money out of the business. ... You’re asking people to take 30minutes times 30,000 people globally. That’s a big number, and in my case, I have to do around 12 modules a year.”
Mark Lodgson, Head of Cyber Assurance and Oversight at Prudential Head of Cyber Assurance and Oversight at Prudential

7. It’s disconnected from other systems

SAT platforms are generally standalone products, and they don’t talk to other parts of the security stack. This means that organizations aren’t leveraging the intelligence from these platforms to drive better outcomes in their security practice (preventing future breaches), nor are they using the intelligence to improve and iterate on the overall security culture of the company. 

The solution? SAT 2.0

So, should we ditch our SAT initiative altogether? Absolutely not! People are now the gatekeepers to the most sensitive systems and data in the enterprise and providing security awareness and training to them is a crucial pillar of any cybersecurity initiative. It is, however, time for a new approach—one that’s automated, in-the-moment, and long-lasting. Read more about Tessian’s approach to SAT 2.0 here.