Blog – EN

A company exists because the employees believe there is a way, the customers believe it solves a problem, and the investors believe it is worth something 😉

Common possible missteps on customer-side in implementing Security Awareness projects

It’s like any other project: you think it’s too easy, you don’t listen or listen to the wrong experts, you think you’ll master it, or you think you can do it alone, you don’t talk to each other enough and the goals and requirements are not as clear as they should be. If you then start with an inappropriate mindset and management fails to recognize the purpose, value and benefits of awareness, then the project can get off to a very bumpy start.

Conversely, does this mean that once you have achieved product-market fit, you can start scaling immediately and you are sure to be successful? I would say: maybe, probably not.

Yes, 9 out of 10 start-ups fail. And yes, most of them probably failed because they offered something that the market didn’t really want. But I do have some reservations about the rest becoming successful because the PMF has been reached.

Company founders pitch investors to get funding and other help for their business idea. Reverse pitching turns the tables: the investors, business angels and VC’s apply to the startup entrepreneurs to be allowed to invest in their companies.

Is this a good idea? No and yes ☺

Over the past 15 years, I’ve had hundreds of conversations with investors – and yet, I’ve never really thought about what it would be like if an investor had to pitch to me, not the other way around.

What would I look for?

Phishing emails are becoming harder to detect, even for humans. A recent study tested various large language models (LLMs) for their ability to recognize malicious intent in emails, revealing significant differences in performance.

One standout was Claude 3.5 Sonnet, which scored over 90% at low false positive rates and even flagged suspicious emails that humans overlooked. When explicitly asked to assess suspicion, it correctly classified all phishing emails while avoiding false alarms on legitimate messages. However, it struggled with conventional phishing emails, achieving only an 81% true-positive rate in that category…

In the early days, cybersecurity training was not yet fully understood. Most attempted to educate their staff through training, and the first phishing campaigns for educational purposes were conducted. And compliance wasn’t that important yet.

The IBM Cost of a Data Breach Report has been published every year for two decades.

It’s often read for the numbers: the global average breach cost (now $4.4M), the top industries, or the fines (which in the U.S. push average costs to $10M).

But look a little deeper and with your own expert-view, and this year’s report says something more fundamental about cybersecurity awareness.

Despite comprehensive security awareness training, many organizations still continue to have cybersecurity breaches resulting from human error. We believe that it is because many people understand cybersecurity threats in theory but struggle to apply the knowledge in practice consistently to act safely.

This gap between risk attitude (knowing what is risky) and risk behavior (actually acting securely) is what today’s article will be about 😉

Cybersecurity awareness training is a vital component of organizational defense strategies. However, many awareness providers or solutions are not able to cover the requirements of the customers. We list and summarize common weaknesses of security awareness providers and practical steps (bigger) organizations can take to address them.