Features

Security awareness training has become one of the most consistent line items in corporate budgets. Most companies run it quarterly and employees click through it, answer the questions and collect their certificates. And yet, the breaches keep coming and the post-incident reports point to the exact same thing: human error. In a recent Forrester’s security survey, 97% of security decision-makers said their companies have a security awareness training programme, but it hasn’t delivered results. And according to Mimecast's ‘State of Human Risk 2025’ report, 87% of organisations now train employees at least once a quarter, yet a third still name employee error as their top concern. Awareness training is definitely happening, but something else is wrong. The usual response is more training – another campaign, another completion rate, another round of certificates. But, as Deryck Mitchelson, global CISO at Check Point Software Technologies, says, the industry has been asking the wrong question entirely. “I don't think humans are the weak link,” he says. “Technology needs to do a much better job of preventing 99.9% of phishing emails from ever reaching the inbox.” The problem is not that employees are failing the training, but that the training and the technology behind it are failing the employees.

One of the reasons Mitchelson holds this view relates to how much phishing has evolved. The emails arriving in inboxes today bear almost no resemblance to the poorly worded messages that defined the threat a decade ago. AI has changed all that, with modern phishing campaigns built on the details in profiles from social media and public data. Today’s phishing attacks are personalised, professional and no longer sent by Nigerian princes looking for love.