The issue of employee reluctance when it comes to cybersecurity training

Although 75% of all US and UK companies were exposed to cyber incidents in the past year, employees still hate cybersecurity training sessions. Considering most cyberattacks capitalize on human error, employee reluctance continues to play into the hands of malicious actors in the shadow of this avalanche of cyber attacks.

Despite the overwhelming belief of cyber executives that their organizations have a solid security culture, recent data gathered by email security expert Tessian suggests that these leaders may be deluding themselves, revealing an unsettling gap between security experts and the rest of the business.

Cybersecurity training is boring to most employees

While 85% of employees participate in cybersecurity training or awareness programs, “How Security Cultures Impact Employee Behaviour” research revealed that 64% do not pay full attention, and 36% find their organization’s training about cybersecurity uninteresting. Do you know how businesses could utilize AI in security systems?

The survey found that security leaders generally agreed on the recipe of good security culture, but Tessian said it was evident that those at the top still had a lot of work to do, given the stubbornly high incident counts.

“Everyone in an organization needs to understand how their work helps keep their co-workers and company secure. To get people better engaged with the security needs of the business, education should be specific and actionable to an individual’s work,” said Kim Burton, Head of Trust and Compliance at Tessian.

“It is the security team’s responsibility to create a culture of empathy and care. They should back up their education with tools and procedures that make secure practices easy to integrate into people’s everyday workflows. Secure practices should be seen as part of productivity. When people can trust that security teams have their best interest at heart, they can create true partnerships that strengthen security culture.” she added.

The study demonstrated how cybersecurity training exercises, which frequently consist of brief PowerPoint presentations created by legal and compliance professionals without a true grasp of how people interact with instructional materials, have no overall positive effect on employees.

For instance, only one in three respondents said they were satisfied with the communications from their IT or security team, and 30% of respondents said they didn’t think they had a personal role to play in keeping their company secure. Similarly, 45% of respondents didn’t know how to report a security incident or who to report it to.

Over half of those surveyed claimed that behaviors including downloading apps to work devices, transmitting private information to personal email addresses, exchanging passwords among coworkers, and connecting to open or public Wi-Fi networks on work devices are not caused concerns.

Over 40% of respondents said they didn’t see an issue with blatantly hazardous behaviors, such as reusing passwords, leaving business devices unattended or unlocked, downloading unsolicited attachments, or clicking links in emails from unfamiliar sources.

Scaring people with cybersecurity risks doesn't solve anything

The leadership’s propensity to utilize cybersecurity training to spread fear and uncertainty as a motivation appeared to be a significant source of estrangement.

For instance, according to Tessian’s survey, 50% of participants reported having a “bad experience” with a phishing simulation, as shown by the 2021 account of a phishing test that went horribly wrong at West Midlands Trains.

Many others clicked on the link in what appeared to be an email from corporate leadership explaining a thank-you bonus for workers who had endured the pandemic, only to be reprimanded for not being vigilant enough about security. Officials from the union called the stunt “crass and reprehensible.”

Such strategies can “cripple employee decision-making, creative thought processes, and the speed and agility that businesses need to operate in today’s demanding world,” according to Marc Dupuis, assistant professor at the University of Washington Bothell, and Karen Renaud, chancellor’s fellow at the University of Strathclyde.

Tessian listed five actions security leaders should do to improve employee understanding of cybersecurity protocols.

For instance, security leaders must take a more active part in important touchpoints like onboarding, position or office changes, and offboarding during an employee’s “journey” with the company. According to Tessian, the onboarding of new employees offers a fantastic opportunity to grab people’s interest before they grow weary and bored, while more thorough and careful offboarding procedures can assist in preventing the loss of crucial data when a person departs.

Establishing open lines of communication throughout the entire organization and paying close attention to how much information is shared, who it comes from, via what channels, and how frequently are other things that any security leader should be doing.

Tessian provided four essential guidelines for accomplishing this successfully (page 28):

• You must speak the same language as your employees to communicate effectively. That means stripping out the jargon, technical terms, and acronyms and only providing need-to-know information.
• Tailor communications to specific people, teams, or departments to help everyone understand threats, consequences, and solutions. Data, real-world examples, and specific “what-if” scenarios can help you paint a clear picture.
• Security teams should choose a cybersecurity awareness champion to deliver updates or requests and be the point of contact for all questions.
• Develop a consistent format and cadence (for example, a monthly bulletin) to streamline communication and ensure employees have a source of truth to reference.

Finally, there are technology solutions that, when wisely implemented, can support the organization’s development of cyber “self-efficacy.”

Tessian’s research was created by OnePoll, which surveyed 2,000 US and UK-based employees, along with 500 IT security leaders.

The research we examined today revealed why some cybersecurity training and awareness initiatives are far from being effective. However, none of this changes the fact that cyber attacks can bring a company down. 

Author: Kerem Gülen

Source: Dataconomy