Why So Many Businesses Fail at Security Awareness Training

Most companies know that cybersecurity is important, but the majority don't train their employees effectively. Research has shown that the main cause of cyberattacks is human error.

Using weak passwords and clicking links in fraudulent emails are two of the most common mistakes, and they can be dramatically reduced with the right training.

According to the 2021 Security Awareness Report from SANS Institute, organizations that don't do security awareness training tend to have a 30% click rate on phishing emails. After a year of training, they reduce that rate to 2%. Unfortunately, there are several reasons why many organizations don't accomplish the necessary training.

Security awareness professionals are too busy

SANS Institute found that more than 75% of security awareness professionals spend less than half their time actually raising security awareness. Their departments are frequently understaffed, and they don't have time to manage training programs. Without dedicated full-time security awareness professionals, and without the budget to outsource the necessary training, businesses can't effectively train employees.

Security awareness professionals may lack communications skills

Many organizations pick someone from their information technology staff to teach security awareness. IT professionals have a lot of technical knowledge, but they rarely come with a background in communications or marketing. The people in charge of security awareness usually understand the topic thoroughly themselves, but without good communication skills, they may fail to convey the importance of the security strategies they're teaching.

Leaders don't prioritize cybersecurity

Many executives see security awareness training as something that the company does just to check a box for remaining in compliance with security standards. These leaders don't account for the financial risks of poor training, and they usually don't compensate full-time security awareness professionals as much as they pay other IT staffers.

Leaders may not demand training that changes behavior to accomplish results, and they often rely on annual training rather than the monthly frequency that's been shown to be more effective. It's not enough to watch a video once a year and know what best practices are. Employees need to be motivated to change behavior in ways that improve cybersecurity.

Companies fail to measure results

Companies need to set security awareness goals and then measure the results. For example, how many employees are clicking on phishing emails before training and afterwards? If you don't know the answer, you won't know whether your training is effective. Companies that set metrics can improve their training to meet goals.

Security awareness programs aren't customized

Cybersecurity researcher Arun Vishwanath, associate professor at the University at Buffalo and faculty associate at Harvard University's Berkman Klein Center, has compared standardized security awareness training to a doctor giving the same prescription for all illnesses. He notes that the best training programs measure employees' security knowledge before training. Once you know your employees' strengths and weaknesses, you can tailor your training to their knowledge and prevent attacks more effectively.

Source: iQuanti, Inc.

Share:


Categories: IT Security

Tags: Cybersecurity, Email Security, IT Security, Security Awareness