Shaun McAlmont argues that annual cybersecurity awareness training isn’t enough to protect organisations from attack
The evidence has long been clear that human error is implicated in most cyberattacks. This has led companies of all sizes and across all industries to focus on cybersecurity awareness training as the most reliable and cost-effective way to protect themselves from cyberthreats. When employees learn about the destructive consequences of cyberattacks and how they can prevent or mitigate those consequences, they feel empowered to take responsibility for cybersecurity at every level of the company.
But merely establishing a security awareness programme isn’t enough – companies have to ensure that the programme actually changes behaviour for the better. This means continuously assessing the state of employees’ knowledge, analysing their responses to real-world cyber incidents, and reinforcing what they learn with consistent and engaging educational content. Too many companies treat cybersecurity training as a box they can check – a routine form of due diligence that shows clients and customers they’re doing something to address cyberthreats. They may hold a meeting or an event on cybersecurity once a year, but that’s about it.
This approach to cybersecurity awareness is likely to fail because employees need steady reinforcement to form healthy cybersecurity habits. The cyberthreat landscape is shifting all the time, and it’s vital for employees to be aware of emerging attack vectors and tactics. The ultimate goal of any successful cybersecurity platform is long-term behavioural change, and this requires companies to make education an ongoing priority – not an afterthought at the end of the year.
Establishing a security awareness programme isn’t enough – companies have to ensure that the programme actually changes behaviour for the better.
Why cybercriminals target human beings
There’s an antiquated image of cybercriminals as hackers who spend their days staring at lines of code and figuring out how to penetrate firewalls and networks. This image is one of the reasons so many employees feel incapable of putting up a fight against cybercrime – they don’t think they have the technical ability to do so. This stubborn misconception has led to countless breaches over the years, and it continues to put companies at risk to this day.
According to the most recent Verizon Data Breach Investigations Report, 82% of breaches involve a human element. Cybercriminals frequently convince employees to click on malware, trick them into providing privileged access, and use their accounts and credentials as entry points to infiltrate companies. All employees have a major role to play in the prevention of cyberattacks, while companies have a responsibility to provide regular and robust cybersecurity awareness training to the entire workforce. Note the word regular. Many companies think annual training is sufficient, but this doesn’t even come close to providing the level of reinforcement employees need.
Cybercriminals will continue to target employees because human beings will always be vulnerable to deception and manipulation. But people are also natural learners, and it’s possible for companies to arm them with the knowledge they need to stop cyberattacks.
Training should always be consistent and engaging
Companies are making significant investments in cybersecurity – according to a survey conducted by PwC, 55% of companies are increasing their cybersecurity budgets. However, the same proportion of business and security executives “lack confidence that cyber spending is aligned to the most significant risks,” while 54% aren’t confident in the process that “monitors the cyber programme’s effectiveness compared to expenditures”.
A 2021 survey asked 1,200 employees a set of basic cybersecurity questions and found that 60% failed the assessment. Considering the fact that 69% of the respondents had received some form of cybersecurity training from their employers, it’s clear that the status quo in cybersecurity education isn’t working. There are several ways to address this problem:
1. Training content has to be engaging. Your employees are busy professionals with many work responsibilities, family obligations, and so on. This is why your training should always be concise, engaging, and relevant.
2. Training programmes have to demonstrate their effectiveness. Companies should analyse click rates on phishing tests, deliver quizzes at the end of training content, and implement real-world incident reporting mechanisms to determine whether employees are learning what they need to know.
3. Training should be frequent and consistent. Repetition is an essential mental mechanism for helping learners remember information. This is why annual cybersecurity training isn’t sufficient – employees need consistent reinforcement to retain the information they learn.
4. Training should be relevant. Employees need to understand the specific methods and consequences of cyberattacks, which is why cyber-awareness education should be based on real-life breaches. The sheer number of these breaches provides a steady stream of content, and examples of successful attacks give employees concrete lessons that will help them improve their cyber hygiene.
Companies should never treat cybersecurity as a perfunctory obligation that they can check off the annual to-do list. At a time when the average cost of a data breach is $4.35 million and cyberattacks are on the rise, companies have to make their cyber awareness platform as effective as possible. This requires high-quality, frequent training.
Building a culture of cybersecurity
Consistent and engaging cybersecurity training isn’t just about learning critical concepts – it’s about creating a cyber-aware culture at your company. This means good cybersecurity hygiene should be second nature for all your employees: they should know how to confirm the authenticity of digital communications, immediately report suspicious activity, and use cybersecurity tools such as VPNs, password managers, and multi-factor authentication.
It’s impossible to build a culture of cybersecurity if you only discuss the subject with employees once or twice per year. Beyond the fact that you’ll fail to keep employees updated about new attack vectors and vulnerabilities, you’ll also lose track of employee performance on key cybersecurity issues. Employees won’t feel motivated to make cybersecurity a part of their daily lives if company leaders aren’t modeling that behaviour and reminding them what the stakes are: huge potential financial and reputational costs.
Many companies provide cybersecurity training after an attack, but this demonstrates that they weren’t proactive enough with their cyber-awareness platform. By prioritising cybersecurity training throughout the year, company leaders will remind employees that they have the responsibility – and the capability – to keep themselves and their organisations safe.
Dr Shaun McAlmont is CEO of NINJIO