free counter

Cyber security training boring and largely ignored

Two-thirds of employees dont bother to cover focus on cyber security training and the fault will not lie using them

Alex Scroxton


Published: 27 Jul 2022 10: 17

While cyber leaders overwhelmingly believe their organisations have a solid security culture, new figures published by email security specialist Tessian have revealed that they might be deluding themselves, exposing an alarming disconnect between security pros and all of those other business.

With three-quarters of UK and US organisations having experienced some type of cyber incident during the past year, a substantial proportion of employees appear to regard training exercises as something to be endured, instead of engaged with.

The report, How security cultures impact employee behaviour, discovered that while 85% of employees take part in security awareness or training programmes, 64% dont pay full attention and 36% consider their organisations security training boring.

Overall, the report found an over-all consensus among security leaders over what switches into making up a solid security culture, but with incident volumes remaining stubbornly high, Tessian said it had been clear that those at the very top had far more work to accomplish.

Everyone within an organisation must know how their work helps maintain their co-workers and company secure, said Kim Burton, head of trust and compliance at Tessian. To obtain people better engaged with the security needs of the business enterprise, education ought to be specific and actionable to somebody’s work.

It’s the security teams responsibility to produce a culture of empathy and care, plus they should back up their education with tools and procedures that produce secure practices an easy task to integrate into peoples everyday workflows.

Secure practices ought to be seen as section of productivity. When people can trust that security teams have their finest interest in mind, they are able to create true partnerships that strengthen security culture.

The report showed how training exercises which in lots of firms comprise bit more than home-brewed PowerPoint presentations cooked up by legal and compliance experts who’ve no real knowledge of how people build relationships educational materials are failing woefully to impact employees over the board.

For instance, 30% of respondents said they didnt think that they had an individual role to play keeping in mind their company secure, while 45% didn’t learn how to, or who to, report a security incident, and only 1 in three said these were content with their IT or security teams communications.

Meanwhile, over 1 / 2 of respondents said they saw nothing inherently risky in actions such as for example downloading apps to work devices, sending sensitive data with their own private email accounts, sharing passwords internally, or connecting to open or public Wi-Fi networks on work devices.

And also when it found clearly risky actions, such as for example simply clicking links in emails from unknown sources or opening unsolicited attachments, leaving work devices unlocked and unattended and reusing passwords, more than 40% of respondents said they didnt visit a problem.

Stop scaring people

A large way to obtain disconnection appeared to be a tendency among leadership to utilize security training to spread fear and uncertainty as a motivator.

For instance, 1 / 2 of respondents to Tessians study claimed to possess had a negative experience with a phishing simulation, as evidenced by the 2021 story of a phishing test at West Midlands Trains which went disastrously wrong.

The test were a contact from company leadership detailing a thank-you bonus for employees who had worked through the pandemic, and several people clicked on the hyperlink, only to end up being ticked off to be insufficiently security-conscious. Union officials described the stunt as crass and reprehensible.

In accordance with Karen Renaud, chancellors fellow at the University of Strathclyde, and Marc Dupuis, assistant professor at the University of Washington Bothell, such tactics can cripple employee decision-making, creative thought processes, and the speed and agility that businesses have to operate in todays demanding world.

Tessian said there have been a number of things security leaders ought to be doing to activate employees better with cyber security procedures.

For instance, security leaders have to play more of a dynamic role at key touchpoints during an employees journey with the organisation, such as for example onboarding, role or office changes, and offboarding. Tessian said onboarding new hires represents an excellent possibility to capture peoples imagination before they become cynical and jaded, while more thoughtful and comprehensive offboarding processes might help prevent critical data going missing when someone leaves.

One more thing every security leader ought to be doing as a matter needless to say would be to establish clear and regular lines of communication over the entire organisation, paying close focus on just how much information they share, who it originates from, via what channels, and how frequently.

Tessian offered four key pointers on how best to do that effectively:

  • Cut right out jargon, technical terms and acronyms, and offer only need-to-know information.
  • Tailor communications to specific people, teams and departments. Someone in marketing, for instance, won’t have exactly the same concerns or start to see the same threats as someone in HR.
  • Identify one individual to provide updates and become a frequent point of contact for everybody.
  • Create a consistent format and cadence for security communications.

Finally, it said, you can find technological solutions which, sensibly deployed, might help establish cyber self-efficacy within the organisation.

Tessians report was compiled using data gathered by OnePoll, which surveyed 500 IT security leaders and 2,000 working professionals in the united kingdom and the united states.

Read more on Security policy and user awareness

Read More

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker