• Employee Security Index (ESI®) benchmark reveals employees take an average of three months training to reach the required ‘protection zone’
  • One-month pause in training leads to firms falling below target security level
  • Report analysed nearly 1.8 million simulated phishing attacks across 140,000 employees to show the scale of security risks – and need for ongoing training

Hannover, Germany (16 February 2023) – Employees need three months’ cybersecurity training for companies to reach ‘an acceptable level of security’ according to leading cybersecurity provider Hornetsecurity’s new Employee Security Index (ESI®) Benchmark Report.

However, a training ‘pause’ of just one month can lead to an organisation’s ESI® score dropping below the level required, while a four-month hiatus can take organisations back to square one.

The ESI® Benchmark Report, which analysed more than 1.7 million simulated phishing attacks across 140,000 employees and over 350 businesses, sheds light on the risks that cyberattacks pose to businesses.

It revealed that 90 percent of all cyber-attacks start with phishing and more than 40 percent of all emails have the potential to pose a threat to businesses.

Daniel Hofmann, CEO of Hornetsecurity said: “The ESI® Benchmark Report reveals the growing risk that phishing poses to organisations and highlights the importance of providing security awareness services to bolster their defences.”

“The findings demonstrate that most employees can reach an acceptable level of security awareness after just three months of training. However, training must be continuous to ensure that employees are prepared against increasingly sophisticated attack methods, which often aim to exploit their blind trust in authority.”

Security awareness

The report also provides insights into the awareness training measures needed to optimise the security awareness of different user groups. Phishing attacks pose huge financial and reputational implications for organisations, but this scientific benchmark will help business leaders monitor the security behaviour among employees and demonstrate the power of ongoing security awareness training – allowing them to create a more sustainable and robust security culture.

The ESI® Score reaches
ESI® drop after a break

Continuous training is key

The ESI® Benchmark Report found that, on average, it takes employees three months of training to reach the ‘protection zone’. The study also indicates that ongoing training is required to ensure employees are educated and protected against developing cyber threats.

While businesses may be concerned about security fatigue, Hornetsecurity has responded to these challenges by integrating short pauses in its automated training program, its Security Awareness Service, to ensure that employees do not become disengaged.

No one-size-fits-all

The insights also show that security training must target individual needs, rather than following a one-size-fits-all approach. The unique Awareness Engine within Hornetsecurity’s Security Awareness Service delivers automated, state-of-the-art training based on individual training needs. It also provides companies with tangible and reliable indicators and standardised comparisons between different groups of employees. The Awareness Engine tailors the level of training to different employees depending on their ESI® score. For example, if an employee has a higher click-through rate on simulated phishing scams, the organisation is aware that this individual may be less prepared against attack methods – meaning more intensive training may need to be delivered. Hofmann continued: “We believe that prevention, protection, response and recovery are integral to business continuity, which is why we have developed our Security Awareness Service, available as a standalone solution or as part of our 365 Total Protection cybersecurity suite. It enables organisations to ensure their data stays safe through developing a sustainable security culture.”

How the ESI® score is calculated

Hornetsecurity’s patented Spear Phishing Engine generates the phishing emails itself, automatically controlling who gets which spear phishing level and when. The simulated attacks are categorised into seven different levels of varying difficulty, meaning that users are not overwhelmed or underwhelmed during the spear phishing simulation.

An ESI® score is then calculated by evaluating the number of clicks an employee makes on a simulated phishing email. This score indicates how educated they are towards different attack methods, and the results from this training allow organisations to keep their staff in shape by adopting ongoing training cycles with the help of Hornetsecurity. 

Further information:

For more information, please find Hornetsecurity’s ESI® Benchmark Report via this link. To find out more about Hornetsecurity’s offerings, please visit the website.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.

Media enquiries

Please contact us on press@hornetsecurity.com.