A recent article from The Hacker News highlights the challenges and significance of cybersecurity awareness training within organizations. As companies budget for 2024, many are allocating funds for employee security awareness training. However, the effectiveness of such training has come into question, given the behaviors in the workplace including phishing attacks and social engineering.
Microsoft’s 2023 Digital Defense Report revealed that video-based training only reduces phish-clicking behavior by approximately 3 percent! This, while according to CHN, phishing attacks surged by 173 percent in Q3 2023 alone.
Organizations, nonetheless, prioritize security training, ranking it second after incident response planning and testing in the IBM Security Cost of the Data Breach Report 2023. The justification for the ineffectiveness of training can no longer be attributed to a lack of employee interest, as indicated by the UK-based CybSafe survey where 43 percent of employees expressed a desire for improvements in training and over 63 percent wanted more allocated time in their schedules devoted specifically to cybersecurity training.
“It is becoming increasingly apparent that the importance of cybersecurity for many businesses is either underappreciated or is not being communicated effectively to the average worker.”
-Dr Jason Nurse, Director of Science and Research at CybSafe
Also, the Hacker News article mentions the success of Cybersecuritoons, a cybersecurity course by Moonlock. This course takes advantage of how we now consume content in a shorter TikTok fashion, so each course is in a concise 1-minute and 30-second cartoon, covering all four major cybersecurity topics which include passwords, phishing, remote work, and malware. The creators stress the importance of short-form content because of the limited attention spans and habits of busy individuals and younger generations entering the workforce.
Also worth mentioning is that even with employee training, the human factor in security errors often occurs despite ongoing training. Workers feeling stress, pressure, and burnout often contribute to mistakes and susceptibility to social engineering hacks.
Many training resources point out that ongoing employee feedback helps create a security-focused culture where employees can voice questions, suspicions, and opinions about cybersecurity. While it may be tempting to skimp on cybersecurity training because of its perceived ineffectiveness, one can never underscore the importance of dedicated time for education, transparent communication about training goals, and alignment with business objectives to overcome the time constraints that often impede effective security awareness training.
Successful training should be continuous, emphasizing teaching employees to be more effective gatekeepers of corporate security. Above all awareness training should underscore that its employees play a pivotal role in preventing financial and reputational losses of the organization. All of this is to highlight that training is a notable step, but in some ways being able to recover from a cyber-attack is also key to becoming a cyber resilient organization.
To learn more about how to improve your organization’s cybersecurity, 11:11 Recovery Services, and Managed Security Services please check out the resources below.
Product Page: 11:11 Systems Cyber Incident Recovery
Data Sheet: 11:11 Systems Managed Security Services