Why Security Training Fails and How to Fix It
It’s impossible to prevent every single cyberattack or data breach. Even if your business was armed with the most advanced security measures and the world’s top security pros, it wouldn’t be airtight. The occasional threat would still slip by.
Yet the sheer number of successful cyberattacks suggests that the standard approach to cybersecurity lacks something. In one 2020 survey, 86 percent of participating organizations said their networks had been compromised at least once in the last 12 months.
Why are so many businesses struggling to stay ahead of cybercriminals despite their best efforts? Security training is a major contributing factor to the success of security programs and securing organizations.
Security training programs that target the overall organization with appropriate levels of education help improve security culture across the organization. These programs also ensure security team members and others in critical roles like IT, engineering, and finance have the additional education and knowledge to defend the organization against cyber threats.
A more effective training program can lead to reduced risk while better utilizing the organization’s greatest resources: its people.
Ineffective (and Insufficient) Security Training Can Lead to Greater Risk
What do you think of when you hear the phrase “data breach?” Your mind probably conjures images of malicious actors mounting a siege against your network from the outside. Your cybersecurity training programs probably focus on these kinds of scenarios, too.
The truth, however, is that most data breaches arise from the actions of your employees, according to findings from security firm Tessian and Stanford University. Their research shows 85 percent of data breaches occur due to employees’ mistakes, like sending emails to the wrong people or clicking suspicious links. Similarly, research conducted by software company Egress found that 94 percent of organizations had experienced an insider data breach in the last 12 months.
Most of these insider data breaches aren’t the work of disgruntled employees intentionally harming the company. The most common cause of insider data breaches is simple human error. Often, that error takes the form of falling for a phishing attack. According to Cisco, phishing is the root cause of as many as 90 percent of data breaches.
Employees make mistakes for all kinds of reasons, like being distracted or burnt out. However, there’s one cause of human error that cybersecurity training is well suited to address: Many employees simply aren’t aware of the threat landscape and the practices they should follow to protect themselves and their companies. Unfortunately, when cybersecurity training focuses exclusively on external threats and malicious insiders, it doesn’t arm employees with the relevant information they need to avoid common mistakes.
Cybersecurity Should Be a Team Sport
Employees are often the first to notice the signs of an attempted or ongoing data breach, whether it be a suspicious email or a mistake they made. Because of this, your employees are an essential frontline defense against cyberthreats. The faster they report incidents to the IT department, the sooner those incidents can be addressed. According to IBM’s 2021 Cost of a Data Breach report, it takes 287 days on average to identify and resolve a data breach. Companies benefit from creating a culture in which cybersecurity is everyone’s responsibility.
Yet this isn’t the case in many organizations. Cybersecurity training doesn’t always explain how individual employees fit into the business’s broader security strategy, so workers aren’t aware of how vital they are to protecting the company. Furthermore, the average employee may not have much transparency into the steps IT takes to mitigate risk. If employees don’t understand the purpose of all the security tools and policies in place, they may view these things as inconveniences rather than taking them seriously.
The disconnect between employees and the security team is only worsened when organizations take punitive measures against employees who report data breaches, particularly ones they may have accidentally contributed to. Suspending or even firing workers for their missteps may seem reasonable on the surface, but it can have the unintended consequence of encouraging employees to hide their mistakes rather than contacting IT right away. As a result, your data breaches may be worse than they have to be.
To strengthen your defenses against cyberthreats, you need cybersecurity training and organization-wide security cultures that foster collaborative, trusting partnerships between employees and IT.
How to Fix Cybersecurity Training
The average data breach costs a company $4.24 million, according to IBM, which means there is a steep price for not getting cybersecurity training right. Here’s how companies can deliver security education that really works.
Adopt a Culture of Regular, Personalized Training
“Personalization” means a couple of different but equally important things here. First, cybersecurity training needs to be tailored to the individual’s position in the organization. An employee’s role in the organization influences the threats they face and how they respond. For example, employees in public-facing roles like marketing and customer support are more likely to encounter malicious communications simply because they often interact with external organizations. According to research from Tessian, employees in marketing are also more likely to fall for phishing scams than their peers in IT, finance and operations.
To be most effective, security training should focus on the specific threats employees face, like phishing, and the common mistakes that well-intentioned employees make. Training should also arm employees with best practices they can use in their roles, transforming them into your most potent countermeasure.
Personalization also means ensuring that training is accessible to your entire employee base. Everyone from IT, engineering, finance, customer service and beyond must have the essentials covered. Even if your security training is perfect from a content standpoint, it won’t mean much if employees can’t conveniently engage with it.
At minimum, employees should be trained when they onboard and at least once a year. However, the more training employees, the better. By training regularly and consuming engaging content, employees will become more aware of how their role can impact security.
Multimodality training experiences can go a long way in getting more employees to complete cybersecurity training. Virtual learning experiences allow employees to access training when and where they want.
Not every employee learns in the same way. Some respond best to books, some prefer videos, and others enjoy instructor-led courses. If your cybersecurity training offers multiple ways to engage with the content, employees will be more likely to take that training and the training will be more likely to stick.
With personalized, accessible training, your employees can minimize their mistakes. Even the unscrupulous insiders who may be lurking in your organization will understand how prepared the business is — and they might think twice before doing anything they’ll regret.
Align the Security Team With the Rest of the Workforce
In addition to teaching employees how to handle cyberthreats, security training should also help them situate themselves in the organization’s broader security strategy. Employees shouldn’t be left questioning the importance of security training or why they must take it. Knowing how their roles impact security helps personalize the training and shows how they fit into the organization’s strategy. Employees should see themselves as a part of the security team.
Many employee mistakes stem from the fact that workers don’t know why the IT team implements certain security policies, tools, and practices. As a result, they may not see the harm in bending the rules to make their lives easier. If, on the other hand, employees know what the security team is doing and why specific policies and tools are in place, they’ll understand how important it is that they adhere to those standards.
This transparency into the company’s security strategy might be built directly into training content, or it could come directly from the IT team via newsletters and other communications. Whatever form it takes, it can help build more cooperation between employees and IT. When employees and IT are aligned, workers will feel more confident reporting data breaches and doing their part to keep the company safe.
Better Training, Stronger Companies
Security training is a risk management strategy. It’s about identifying threats and mitigating the effects they could have on your business. Unfortunately, for a long time, security training has focused on the wrong things and failed to engage employees as learners. But we can reverse course with a few simple fixes.
By making training relevant and accessible to employees and bridging the gap between IT and the rest of the workforce, organizations can build strong security cultures that help reduce the most pressing risks they face.
It may be impossible to prevent every cyberattack, but you can certainly reduce your risk with the right approach to security training.
Learn the best practices for creating a cybersecurity-focused culture and mitigating risk with Forrester's training strategy. This report lays out a four-step plan that CISOs should follow to manage human risk and create lasting behavioral change throughout their organizations.