View all posts

Why are Security Awareness Training Programs doomed to fail?

Published on

Before looking into the reasons why security awareness training programs are destined to fail from the start despite all of the best intentions, let’s get some background information and better understand why following best practices in the industry can save you!: 

 

Adopting security awareness training is not a top priority for companies.

 

This statement while true does not correlate with the industry concern regarding cybersecurity. It is stated that 82% of companies consider cybersecurity as their top technology priority, but only 61% of them allocate a budget for security awareness training programs. This gap further expands that in spite of the many post-implementation benefits an effective security awareness rollout  can bring with, only 45% of these same companies are mandating security awareness training to their current employees. To recap, 82% consider cybersecurity as a top priority; 61% allocate budget for it, and 45% mandate the training…

 

Never forget about the human factor when addressing security issues

Cyber Security Awareness adoption numbers are indeed surprising, especially since more than 60% of business owners reported that security breaches are caused by employee negligence – meaning they are intimately aware of the problem! While companies acknowledge that the human factor is one of the top reasons behind a security breach, it does not translate into the necessary effort needed in order to make sure that their employees can recognize a potential cyber threat. 

Now, let’s dig deeper into the topic and focus on those companies that do provide security awareness training to their employees. What makes these programs inefficient? What are the causes of less than desirable results?

 

#1 Adopting security awareness training programs as a ‘check the box’ 

Companies are relatively aware that they should have a cybersecurity awareness training program in place to protect their businesses. How do they know that? In many cases, these executives are reading about data breaches and the human factor quite often.  Additionally, many security compliance standards have ‘employee training’ as a minimum requirement. However, these standards are often ambiguous and open to interpretation as they don’t say anything concrete about the structure and content of such a training program. 

To be more specific, simply creating a checklist based on such compliance standards is not enough to protect your business. There is a difference between purchasing a program, and ensuring that employees are able to recognize and diffuse potential cybercrime. In other words, if the security awareness training programs are compliant with the security standards, that doesn’t necessarily make them effective programs.

 

#2 Low engagement during the security awareness training programs

Just imagine the following scenario: you use a 10-minute video to explain security awareness to your employees and quiz them afterward to make sure they understood. As the information is so fresh in their minds, they will all probably pass the quiz with flying colors. Additionally, it is possible that the same quiz is worded in a manner that a user can pass the quiz simply by eliminating obviously wrong or out-of-context answers. However,  do you believe that this ‘success’ will translate into knowing what to do when faced with a real threat? Are you entirely sure that they will not click on that suspicious link that might jeopardize the security of the entire business? Probably not.

 

If we’re honest, it is not enough to only test employees on their knowledge of security awareness. They also need to practice situationally by being engaged in teachable moments through real-life scenarios and simulations. The simulations and scenarios provide another level of engagement and involvement that drives true learning. Additionally, you can further promote the learning by tailoring your content to your targeted audience.  For example, younger employees might respond better to blog posts and tweets, while older employees might prefer more traditional training materials such as posters, newsletters, and more structured learning sessions.

 

#3 Relying on a single annual security awareness training session

If we look into the frequency of training, only 6% of companies conduct the recommended monthly security awareness training sessions. The majority choose an annual training program. If you decide to make the same choice, you should consider that, without the proper frequency of practice, there is a high chance that all the security awareness information that you provide to your employees during the training will eventually fade away as their minds are cluttered with other tasks and other trainings.  Frequency and engagement level can help ensure that the learning is continual and becomes permanent…unlike the challenges associated with one-time annual training.

 

As mentioned above, your employees can be your company’s security weakest link.  With the costs for mitigating data breach damages averaging $3.86 million, there is simply no tolerance for failure of these security awareness programs, yet we are seeing a level of indifference that would indicate otherwise. From our experience, conducting monthly or bi-monthly phishing campaigns or other types of security awareness sessions can reduce your cyber risks by up to 90% and put your business in a much better posture as it relates to identifying and diffusing potential cybercrime.

 

Final thoughts

Many security awareness training programs are doomed to fail even before they start. The reasons are many, and we’ve highlighted only a few in this article. If you don’t know how or where to start your Security Awareness Program, get in touch with us to find out more about our tools and schedule a demo to see how they work.

Together, let’s #EndPhishing and stop cybercrime! Follow us on Twitter and LinkedIn to stay up to date with the latest news in the cybersecurity industry.