By Farica Chang, Managing Principal
“Don’t click on suspicious links.”
If that’s the extent of your company’s cybersecurity training, you might as well tell your employees not to get scammed. The truth is, while your IT team has been repeating the same cautionary tales, cybercriminals have been engineering increasingly sophisticated attacks that exploit our inherent human nature—and they’re getting better at it every day.
Welcome to part four of our Powder Keg series, where we’re exploring the often-overlooked vulnerabilities that could devastate your business. Today’s focus? The dangerous myth that basic security awareness training is enough to protect your organization.
The Evolution of Social Engineering
Remember those obviously fraudulent emails, riddled with spelling errors and promising millions from a mysterious foreign prince? They’re practically extinct. Today’s cyber threats are far more insidious, crafted with such precision that even your most vigilant employees might struggle to detect them.
Thanks to generative AI and advanced social engineering techniques, phishing attacks have become nearly indistinguishable from legitimate correspondence. In fact, studies have found that people generally find it very difficult to detect the phishing attacks of today.
Engineering in a Socio-Technical World
Just as traditional engineers solve technical problems, social engineers—in this case, cybercriminals—solve human ones. When employees become adept at spotting traditional phishing attempts, these “engineers” develop new tactics that play on our blind spots, biases, and inherent trust in authority figures (which we explored more in this piece).
Though there’s some interesting research on what might make a person more susceptible to social engineering, ultimately, even your least likely employee can fall for it. And even your most prone can be saved through proper education—but more on that in a bit.
A Cautionary Tale: The $46.7 Million Mistake
Consider the case of Ubiquiti Networks, a cautionary tale that demonstrates just how devastating sophisticated social engineering can be. In 2015, the company fell victim to what’s known as a Business Email Compromise (BEC) attack—one that cost them $46.7 million, or approximately 10% of their cash position.
The attack was elegantly simple: Cybercriminals impersonated the company’s CEO and a company attorney in emails to the accounting department. Despite having internal regulations for urgent communications and financial compliance, the accounting team processed 14 international wire transfers over 17 days.
A subsequent investigation revealed no system breaches and no employee criminal involvement. The entire theft was accomplished through social engineering alone.
The FBI's Most Wanted
When Anderson Technologies recently spoke with the FBI St. Louis’ Hybrid Cyber Task Force about the most dangerous form of cyberattack, their response was unequivocal: “BEC, and the others don’t even come close.”
This assessment isn’t surprising. Business Email Compromise attacks don’t require sophisticated malware or system breaches. They rely on something far more vulnerable: human psychology.
And while you might think your team would never fall for such schemes, remember—Ubiquiti’s employees thought the same thing.
The Power of Proper Training
Now for some better news: employee security awareness training works—when it’s done right. Historical data shows that proper training can:
- Reduce phishing success rates by up to 70%
- Decrease overall security incidents according to 90% of IT leaders
- Drop click rates on phishing emails from 27% to 2%
- Reduce incident recovery costs by an average of $270,000
But there’s a catch. These impressive statistics only hold true when training evolves as quickly as the threats do. That security awareness presentation from 2017? It might as well be from 1917, given how dramatically the threat landscape has changed.
Modern Training for Modern Threats
According to a 2018 literature review on employee cybersecurity education, gamified training, delivered as part of a multilayered initiative to raise awareness, is the way to go.
To effectively protect your business, security awareness training needs to be:
- Customized to Your Reality: Generic training modules won’t cut it. Your employees need to understand the specific threats targeting your industry and organization.
- Regular and Relevant: One-and-done annual training sessions are about as effective as trying to learn a language by reading a dictionary once and never touching it again. Combine them with regular, bite-sized sessions to keep security awareness training fresh and engaging.
- Practical and Interactive: Compared to stale, hours-long slideshows, this angle significantly improves retention and application of security principles.
- Reinforced Through Culture: Security awareness shouldn’t be a yearly checkbox—it needs to be woven into your company’s DNA, discussed regularly, and championed from the top down.
The Stakes Have Never Been Higher
As we’ve explored throughout this series, your business is sitting on multiple powder kegs—but inadequate security awareness training might be the most volatile.
In an era where a single cleverly crafted email can cost millions, comprehensive security training is far more than just an IT expense—it’s a business imperative.
So, when was the last time your IT team conducted mandatory, company-wide cybersecurity training?
Anderson Technologies: Real People Creating Business-Changing IT Solutions
For over 25 years, Anderson Technologies has leveraged our expertise for the benefit of our clients, supplying them with suitable, secure IT and strategic guidance for their technological future.
We’re a dynamic team of IT professionals with over 200 years of combined experience and specialist certifications to back up our knowledge. As a trusted advisor, we don’t just focus on today. We strive to take your technology light-years ahead of your competition and scale with your business’s success.
Ready to make 2025 your business’s best year yet? Contact us today to see how technology can help.
