Free Newsletters for the Channel
Register for Your Free Newsletter Now
September 24, 2020
A new study shows boring cybersecurity awareness training doesn’t persuade employees to be secure.
As users get more security awareness training, their ability to effectively deal with security threats increases. Users who get proper training are much more likely to spot phishing attempts, business email compromises and other cybersecurity threats. That is in comparison to their untrained colleagues.
The research supports the claim that employees get far more benefit out of interesting and engaging training.
Lisa Plaggemier is MediaPro’s chief strategy officer. She said employers need to gauge their employees on the effectiveness of their cybersecurity awareness training.
MediaPro’s Lisa Plaggemier
“Some companies do this, but I think others might be afraid of the answers they get in return,” she said. “It might mean that you need a dedicated resource running your training and awareness program, who has a communications or marketing background, instead of a security engineer doing it as part of their job. You can also tie specific metrics to test the effectiveness. For example, does incident reporting increase once you’ve trained people on how to spot and report a potential incident?”
Other key takeaways from the report include:
IT, security and business leaders generally want to establish a strong cybersecurity culture within their organizations. But they’re somehow not conveying that idea effectively to a large number of their employees.
Cybersecurity awareness training is perceived to be as important as technology in dealing with security threats; therefore, organizations will devote more employee time to training over the next year.
About 45% of employees surveyed expect to spend 15 minutes or more per month in training by mid-2021. That’s up from 26% in 2020.
Senior IT and business management are much more enthusiastic about security awareness training than are non-management employees.
Security and IT leaders, their staff members and business leaders are largely on board with the idea that developing a strong cybersecurity culture is important. Everyday employees, however, are much less convinced about the importance of doing so.
Employers should buy training that really connects with people and doesn’t talk down to them, Plaggemier said.
“There are so many good options on the market these days,” she said. “There’s no excuse to run boring training. In some organizations, their own culture can get in the way. They resist using humor, for example, because it doesn’t fit with their brand or the security team feels you shouldn’t use humor for such a serious topic. Complex problems need creative solutions.”
Michael Osterman is researcher and president of Osterman Research.
Osterman Research’s Michael Osterman
There are two fundamental drivers for the growth of MSSPs. Technology helps organizations address their security concern. And MSSPs can help with this. Also, the cybersecurity skills shortage is motivating many CISOs to outsource at least some of their security to third parties.
“That said, we see the growth of security awareness training and the growth of technology-focused solutions, including the outsourcing of at least some security functions to MSSPs, to be synergistic,” Osterman said. “Outsourcing relieves some of the burden on already-overworked security staffers so that they can focus on the more onerous threats and attacks that take substantial time to investigate and remediate. And training enables users to detect and avoid many of the threats that will inevitably make their way through even the most robust security defenses.”
The study does point to overall progress being made in terms of cybersecurity awareness training, he said.
“For general phishing emails, there was a nearly six-fold increase in the percentage of users who are capable or very capable at detecting them after training compared to their ability pre-training,” he said. “We also found major gains in user capabilities at recognizing targeted emails and scams in social media after they received training. Plus, it’s important to realize that we were surveying organizations that have various levels of efficacy in their training, and so the most effective training would result in even better numbers than these.”
Read more about:MSPs
You May Also Like
Mobile World Congress: VMware Talks SASE, 5G, SD-WANFeb 27, 2024
Zero Trust World: ThreatLocker Providing an Action Plan for Preventing AttacksFeb 26, 2024
The Gately Report: Trellix Partners Shielding SMBs from RansomwareFeb 26, 2024
Cloud Computing News: AWS Loses Another Key Exec to Azure; Canalys, Vega Cloud, Hyve NewsFeb 23, 2024