Last time, we looked at how (fiendishly simple) virtual private networks (VPNs) thwart cyberthreats.
Today, we’re talking about the human risk management OG: security awareness and training (SA&T). But this isn’t about your regular 20-year-old syllabus. No, no … something that actually works.
You’ve probably noticed that your organization is full of humans. We’ll even go so far as to wager that you’re one of them. And those humans need the right knowledge, skills, and attitude to protect your organization from cyberattacks.
Because your strongest line of defense is…
Humans. Take you, for instance. If you’re reading this, you know just how big of a deal cybersecurity is. You can reel off a list of the main threats and you know the ways to squash the risks they pose.
Sadly, not everyone has your knowledge, security habits, or good looks—which means a lot of people aren’t behaving securely online. But that’s why you assign security training, right?
Riddle us this, then: how do you know your training’s making any difference? Are you influencing security behaviors? Measuring risk reduction?
And your organization’s greatest weakness is…
Humans. Just kidding! It’s your (ineffective) training.
People are often thrown under the bus when it comes to security incidents. But most just aren’t equipped to help prevent the risks. How could they be, when traditional security training isn’t designed to influence long-term security behaviors?
Here’s the thing: cybersecurity is … complex. And so are humans. So, to reduce risk, you’re going to need training that knows a thing or two about people.
Kinda like the behavioral science-based training CybSafe offers.
You know what we did this summer?
So, for the second summer running (we really know how to enjoy ourselves), we asked 3,000 people about critical security behaviors—things like creating strong passwords, using multi-factor authentication (MFA), and backing up data.
We also asked people whether they had access to security training, about their attitudes to security, their experience of cybercrime, and any actions they took afterwards.
The report’s invaluable reading for anyone in cybersecurity, if we do say so ourselves. You can check it out here.
21
35
43
16
Maybe the problem is a lack of access to security awareness and training, you may be thinking. Well, you’re not wrong, given that 62 percent of participants said they didn’t have access to any. But of the remaining 38 percent who did, nearly 1 in 4 didn’t make use of it.
But don’t hit the big red Mandatory Training button on your desk just yet. Training that’s forced on your people once a year isn’t going to cut it. It becomes a corporate box-ticking exercise. Which, if you’re honest, it essentially is.
So, what now?
Don’t waste your time and budget on anything that doesn’t measurably reduce your human cyber risk.
Massive changes are long overdue in the cybersecurity industry. Effective, evolved security awareness and training needs to be part of a set of sophisticated, targeted instruments that can measure risk reduction and influence behaviors.
People don’t want to get it wrong. They innately want to understand and avoid security risks. They just need help with fostering good habits and skills.
It’s time to start giving your people the cybersecurity environment they deserve, and your organization the protection it needs.
Want to learn more about behavior change? Read our whitepaper on it!