“So, point one is reevaluate your fixed six percent for security because it probably needs to be more like 10 or 12. Second, I would strongly recommend that (organizations) start to test their security awareness training. You cannot just train and then leave it be for awhile. These employees need to be tested constantly, so sending all of your employees two or three simulated phishing attacks per month is no luxury. This is something that you need these days.
In addition, Sjouwerman said that companies need to be aware of the legal consequences of not scaling up their security awareness training, especially in organizations where cyber safeguards are mandated by law. He also recommends designating someone within the company to stay on top of the latest threats.
“Make someone in your organization responsible to think like a hacker and have a continuing flow of alerts related to current events,” he said. “Go to each employee that warns you of scam attempts like this. As an example, a successful social engineering attack was, ‘the U.S. has started bombing Syria.’ That’s a current event-type thing that everybody is concerned about and that people will click on. Have someone think like a hacker, look at current events and anticipate the kind of attacks to keep an eye out for. It’s not hard to predict and send people regular alerts.”