Businesses must rethink how they deliver cybersecurity training
As we’re increasingly being reminded, unsuspecting office workers are still a primary target for cyber attackers. According to Verizon’s Data Breaches 2022 Investigations Report, more than four in every five breaches (82%) involved a human element.
In an attempt to educate and protect their workforce from threat actors’ advancing attacks, organisations are pushing cybersecurity training initiatives up the priority list. However, not all programmes are proving to be as effective as intended.
Encore’s latest research reveals a difference between business leaders’ perceptions and reality when it comes to the effectiveness of training within their organisations. In this blog, we cover off the main findings from the research, as well as offering key advice for businesses looking to bridge the gap and enhance current programmes.
Are current cyber training programmes actually effective?
It has long been established that the workforce itself is one of the biggest causes of cyber breaches – although this isn’t necessary through any fault of its own. It all depends on the training and support supplied by their employers.
Encore’s research reveals that more than seven in 10 (71%) executives are confident that they deploy enough safeguards around their staff to ensure their businesses remain completely secure, even if human error does occur. On the other hand, 21% do not think they currently have enough safeguards, and 8% believe that employees are of no risk at all.
The reality of the situation, however, is that poor cyber practices continue to be prominent today, with many being exacerbated by the widespread shift to hybrid working in recent years. Indeed, 37% of office workers admit to using their personal devices for work, while 36% still use the same password for work and personal devices.
The report shows that more than four in five (83%) of employees believe it is their responsibility to carry out cybersecurity best practice during work activity. However, less than half (43%) can correctly define the term Phishing.
There’s a clear significant gap, both between what employers perceive their staff’s cyber competency levels to be and the reality of the situation, and between what office workers believe they should know about cybersecurity and what their current knowledge covers.
Five ways to improve cybersecurity training programmes
To bridge the knowledge gap, businesses need to rethink how they deliver cybersecurity training.
This does not need to be overcomplicated. In fact, simple is often better. Instead, it’s all about tailoring training programmes to your specific audiences, making the content as engaging and relevant as possible.
Each individual business will have a unique set of needs, and training will need to be reflective of that. However, there are a series of fundamentals that should be covered by all cyber training initiatives to ensure effectiveness.
Here are five key guidelines for businesses planning to implement new cybersecurity training programmes, or enhance an existing one:
Training need to be relatable to ensure trainees are engaged.
It should be tailored to the audience, both in terms of the content itself and the way the training is delivered.
Conduct regular assessments to ensure training programmes don’t simply become another box ticking exercise.
Programmes must align with cyber policies to ensure subsequent employee behaviours fall within agreed guidelines.
Encourage proactive reporting on incidents to ensure newly learned security best practices are adopted and not forgotten.
In a world of rapidly evolving and increasingly dangerous threats, cybersecurity training is one of the simplest ways of keeping people safe and educated, both in their place of work and their personal lives.
It cannot be overlooked. It’s a critical business practice and must be treated as such.
To find out more about the importance of training, and for more detail about these key guidelines, check out The Cybersecurity Training Illusion eBook in full here.