They say an ounce of prevention is worth a proverbial pound of cure. That’s never been truer than when it comes to cybersecurity. The more training end-users receive, the less likely they are to become the victim of a phishing attack. The challenge is most of the cybersecurity training that end-users receive isn’t especially engaging, so a lot of it simply doesn’t stick.
Separate surveys of 141 individuals who manage, contribute to, or influence security awareness training programs, and of more than 1,000 employees in the U.S., both conducted by Osterman Research, illustrate the depth of the challenge organizations face.
Only half the respondents said they like the quality of the writing in the training provided, with even fewer (48%) liking the format employed or considering the training provided to have any visual appeal (45%). Only 23 percent of respondents said they regularly survey employees on what they think of the training they receive. Just over half of respondents (52%) said they sometimes do.
Perhaps not surprisingly, only 12 percent of employees said they enjoy security training because it helps them stay secure at work and at home. The good news is 50 percent said they are in favor of it because they understand the benefits. Only 14 percent said they participate because they are required.
Keeping employees engaged
The survey also finds there is a clear correlation between how enjoyable cybersecurity training is and how often employees attend. A full 69 percent of users who find security awareness training to be “very interesting” spend more than 15 minutes per month in any sort of training. By contrast, only 37 percent of those users who find security awareness training to be “somewhat interesting” spend this much time in training, while just 16 percent of users who consider their training to be “boring” spend more than 15 minutes per month in training.
Given the nature of the cybersecurity threats organizations face, 15 minutes is not a lot of time. In fact, from an education perspective, it suggests large swaths of employees are “being left behind” when it comes to cybersecurity training. Of course, if students don’t want to learn, it’s not always the teacher’s fault. However, everyone has, at some point in their life, sat through a boring lecture that could have been delivered in a more compelling fashion. No one ever remembers the topic. They just remember feeling bored.
In contrast, employees that are engaged are more likely to do the right thing. End users that spend more than 15 minutes per month on security awareness training are nearly twice as likely to use a unique password for every device and application, compared to those who spend no more than five minutes per month in training, the survey finds.
Increasing security concerns
In the wake of the COVID-19 pandemic, organizations have never been more concerned about phishing attacks than they are now. With the bulk of employees working from home for the foreseeable future, the level of security any organization has is lower. According to the survey of managers, the biggest concerns are email attachments loaded with malware, email threats such as phishing, ransomware, and compromised credentials/account takeovers in almost equal measure.
In each of those cases, the first line of defense is always the end-user. If those end users are not engaged, however, it’s roughly the equivalent of asking someone to be more vigilant than ever when they don’t really appreciate the reason for making the effort. Rare is the student who is more engaged than their teacher. In fact, a little extra enthusiasm on the part of security teams will pay off many times over because the best remediation effort is the one that was never needed in the first place.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.