Confidence can be powerful, influencing how we perform tasks or deal with adversity, but it can also have a blinding effect if we’re not careful. Similar to a driver who refuses to wear a seat-belt because they’ve never crashed before, just because they’re feeling confident about it, does not mean the danger doesn’t exist. The same overconfidence plagues many employees when it comes to cybersecurity, says Javvad Malik, lead security awareness advocate at KnowBe4.
In fact, a new survey by KnowBe4 titled “Security Approaches Around the Globe”, highlighted a significant disparity between the ability employees have in their own cybersecurity behaviours and their actual abilities, which in many cases was found to be lacking. The report showed that despite 86 per cent of employees claiming they can confidently identify phishing emails, almost a quarter have fallen for these attacks. This over confidence opens organisations to substantial risks as it leads to complacency and a false sense of security that cyber criminals are all too happy to exploit. As the divide between confidence and competence grows, it is important for organisations to continually educate their employees on everything from types of attacks and social coercion methods attackers use and what to do if an attack is successful.
Need to adapt to sophisticated scams
Many individuals feel confident in their ability to spot cyber threats, especially the obvious ones like poorly written phishing emails. But cybercriminals have evolved. Today’s attacks are more sophisticated, better timed, and increasingly personalised making them far harder to detect. In fact, ransomware payouts have risen by 20 per cent in the last six months, underscoring how effective these attacks still are.
This sense of confidence often stems from familiarity with outdated tactics, but modern threats, such as phishing links sent from compromised, legitimate accounts or advanced social engineering techniques, are designed to bypass both technical defences and human intuition. With a 58% surge in phishing emails coming from trusted but compromised sources, it’s clear that no one is immune. The right attack, at the right time, can catch even the most vigilant person off guard.
An area where this disparity is most prevalent is phishing. Employees often assume that phishing emails are easy to identify as there is a false belief that these emails will contain grammatical or spelling errors. However, modern phishing campaigns use AI-driven social engineering, personalised messages, and deepfake technology to deceive even the most cyber savvy individuals. For instance, despite being a relatively new attack method, KnowBe4’s report found that 12 per cent of respondents had already been fooled by deepfake scams, demonstrating just how effective this method has already become.
Importance of culture and reporting
A strong security culture can often mean the difference between suffering a cybersecurity breach or avoiding one altogether. Beyond technical defences, creating an environment where employees know who to report issues to and one where they feel comfortable reporting suspicious activities can significantly enhance an organisation’s security posture and is critical in closing the confidence gap. And yet, one in ten employees still hesitate to report security concerns due to a fear of blame or punishment.
Encouraging transparency and open communication is essential to building a strong security culture. Employees should not only receive education about security threats but also feel empowered to report potential risks without fear of blame or punishment. Although this number may initially seem low, it only takes one mistake or failure to report a mistake to result in a major breach. Leaders should reinforce the idea that cybersecurity is a shared responsibility and that vigilance benefits everyone. Additionally, leveraging technology that supports real-time threat reporting, such as anti-phishing tools that allow employees to flag suspicious emails, can further strengthen an organisation’s security posture and reduce the frequency of an attacker’s success.
Continuous and adaptive training
The confidence gap highlights the need for more effective and ongoing cybersecurity education. Traditional, one-size-fits-all training programmes are no longer sufficient in an era of rapidly evolving threats. Instead, organisations must adopt continuous and adaptive training strategies tailored to employees’ roles, risk levels, and learning needs.
Personalised, scenario-based training is essential for bridging the confidence gap. Employees should be exposed to real-world simulations that test their ability to recognise phishing attempts, social engineering tactics, and emerging threats such as deepfake scams. By regularly challenging employees with up-to-date cybersecurity scenarios, organisations can reinforce learning and identify knowledge gaps before cybercriminals exploit them.
Furthermore, training should be engaging and interactive. Gamification, micro-learning modules and simulated phishing attacks can help reinforce key lessons while making cybersecurity education more engaging. The goal is to shift security training from a once-a-year compliance exercise to an ongoing process that keeps employees vigilant and responsive to emerging threats.
Another crucial aspect is adaptive security awareness programmes. Employees’ cybersecurity knowledge should be continuously assessed, with training content adjusted based on their individual performance. For example, an employee who frequently falls for phishing simulations may require more frequent training, while a security-savvy employee may need more advanced lessons on emerging threats to avoid becoming complacent.
A security awareness training provider can facilitate all these elements by offering comprehensive, dynamic programmes that cater to different learning styles and risk levels. AI-driven training modules that evolve with emerging threats ensure employees receive the most relevant and effective education. Through continuous assessments, real-time feedback, and scenario-based exercises, these providers can help organisations build a culture of cybersecurity resilience, reducing human risk and improving overall security posture.
Confidence gap
The cybersecurity confidence gap is a pressing issue that organisations cannot afford to ignore. While many employees believe they can spot and prevent cyber threats, real-world data suggests otherwise. Overconfidence leads to complacency, making organisations all the more vulnerable to sophisticated cyberattacks.
To address this challenge, organisations must foster a strong security culture that encourages reporting, implements continuous and adaptive training, and ensures employees receive up-to-date, scenario-based cybersecurity education. By taking these steps, organisations can transform their employees from potential security liabilities into proactive defenders against cyber threats.
In cybersecurity, the most dangerous assumption an employee can make is believing they are immune to threats. True resilience comes not from misplaced confidence but from continuous learning, vigilance, and an adaptive security mindset.
