The most recent Verizon Data Breach Investigations Report reveals the human element continues to be a key driver of 82% of breaches, including social attacks, errors and misuse. Undoubtedly, human error generates massive security headaches. Meanwhile, the rate and cost of cyber breaches continue to climb. Why is it then that over half of employed people don’t have or don’t use security awareness training?

Maybe security teams don’t believe in security training. Or maybe they don’t know exactly what kind of training works. Is there any data to back up best practices? Let’s find out.

Employee High-Risk Liability

Employees in the average company have the ability to access a vast repository of information. An average of 10.8 million files are at the disposal of each worker. Employees at larger organizations have access to as many as 20 million files.

A recent study found 64% of financial services organizations allow their employees to view more than 1,000 sensitive files without any restrictions. As many companies have moved to remote or hybrid work, IT teams must prioritize their security measures to ensure that their sensitive data is protected from attack. Firms must also consider compliance with regulations like SOX, GDPR and PCI, which can expose companies to serious legal consequences.

If we look at password practices, a study by Cybsafe found that 29% of participants created passwords consisting of a single dictionary word or name. Only 16% of participants reported creating passwords over 12 characters long, which goes a long way for password security.

Around 36% of participants reported using unique passwords only half the time or less, while another 36% changed their passwords every few months. Surprisingly, 35% of participants admitted to only making slight modifications to their passwords, such as changing a character or two.

For these reasons alone, cyber hygiene makes a lot of sense. But does it work to prevent attacks?

Does Security Awareness Really Work?

Everyone who talks about human error will eventually mention employee training. But does it really change workers’ online activity? Even more important, does training mitigate the risk and cost of a security breach? The Cybsafe report supports that employee habits do change after security training.

For starters, 57% of individuals who received cybersecurity training accessed it through their workplace or educational institution. Only 28% accessed it from their home environments. Among those who received training, 59% completed one-time courses, while 24% received ongoing training over a set period. Unfortunately, 48% of employed people surveyed do not have access to cybersecurity advice or training, and 9% have access but don’t use it.

According to the study, 58% of the participants who received cybersecurity training reported an improvement in their ability to recognize phishing messages. Also, 45% of those trained said they had begun using strong, unique passwords. Here are some other security practices people self-reported implementing after the training:

  • Using multifactor authentication: 40%
  • Using a password manager: 35%
  • Regularly installing updates: 40%
  • Backing up data: 34%.

Ongoing Training Matters

As mentioned, over three-fourths of respondents in the Cybsafe report did not receive ongoing training. This may be a huge mistake.

A paper presented at USENIX SOUPS assessed the lasting impact of phishing training. In the study, researchers conducted periodic tests at regular intervals to see when the employees would lose their ability to identify phishing messages. They divided the employees into several groups and tested them four, six, eight, 10 and 12 months after receiving an in-person phishing training session.

The research team discovered that participants were able to accurately spot phishing emails four months after their initial training. However, this ability diminished after six months and beyond. The team recommended conducting new training sessions to maintain the employees’ proficiency in identifying phishing threats.

Which Type of Cyber Awareness Training Works Best?

While it makes sense that training is important, what techniques work best? Is there any data on this?

In the USENIX SOUPS paper, researchers looked at four different reminder measures distributed among four separate groups: text message, video, interactive examples and a brief text. One year after the tutorial, the researchers compared the retention of knowledge among the four reminder groups. The results showed that the video and interactive measures were the most effective. Their impact lasted at least six months after they were implemented.

Additional research was compiled by cyber expert Nipon Nachin writing for the Information Systems Audit and Control Association (ISACA). He summarized that to raise awareness about cybersecurity, organizations have employed many techniques, such as security posters, intranet content, screensaver information, in-person training, videos, simulations and tests. One study has found that using the intranet as a platform for security awareness was the most effective approach listed. It is essential that employees comprehend the organization’s security policy to maximize the impact of security awareness efforts.

One highly effective approach to building security awareness is to send simulated malware emails to test users’ knowledge. Another novel method is using games to educate employees, although this approach does not appear to be as impactful as using videos.

Both Technology and a Human Element are Needed

Organizations continue to be highly vulnerable to breaches based on human error. While technological tools are indispensable to thwart attacks, one wonders how much more should be done to support cyber hygiene. If over half of all employees aren’t getting or aren’t using security training, it’s evident that the gap is large.

What about the cost-benefit? The cost of employee cybersecurity training varies depending on the size of the organization and the type and frequency of training (in-person vs. remote). On average, training costs approximately $5 per user per month. And the time invested only needs to be a few minutes per month. When it comes to cybersecurity spending, that’s dirt cheap. The key is constancy and repetition.

Some estimates show that companies spend an annual average of $2,700 per employee on security. For $60 more, they might go a long way to fill the human error gap.

More from News

Spot Fake Extortion Attacks Without Wasting Time and Money

3 min read - Ransomware attacks — the scourge of businesses, schools, hospitals and other organizations — follow a familiar pattern. Shady criminals contact an organization, telling them their company or customer data has been breached, encrypted and/or exfiltrated. Pay us money, or we’ll publish your data. In 2022, some 41% of victims paid, according to cyber-intelligence firm Coveware, rewarding the extortionists for their efforts. (Payment is declining every year, down from 76% in 2019.)That knowledge no doubt inspired lazier, less-skillful scammers into action. In…

3 min read

High-Impact Attacks On Critical Infrastructure Climb 140%

4 min read - Prior to the pandemic, cyber-sabotage attacks on manufacturing plants were non-existent. Today, the situation has changed dramatically. As per a recent report, attacks that led to physical consequences in process manufacturing, discrete manufacturing and critical industrial infrastructures impacted over 150 industrial operations in 2022. In addition, the total number of attacks increased 2.4x over the previous year. At this rate of growth, cyberattacks may shut down up to 15,000 industrial sites within the next five years. Growing Threat to OT…

4 min read

AI Assistance Cuts Alert Triage Times in Half

4 min read - Clearly, ChatGPT has placed artificial intelligence on everyone’s radar these days. But AI in mainstream business applications has been around for decades. In cybersecurity, AI can be used for data augmentation and attack simulation. It can also help detect anomalies in network traffic or user behavior to enhance overall threat detection and response. As per a recent report, one area where AI has made significant strides is in threat alert triage efforts. In fact, with AI assistance, alert triage timelines…

4 min read

Congressman Proposes Act to Improve K-12 Cybersecurity

2 min read - When Iowa Congressman Zach Nunn served on the White House’s National Security Council, he witnessed the dramatic impact of cybersecurity incidents. Nunn became especially concerned about how cybersecurity crimes impact schools and their ability to educate students. He also realized how the growing threats have been making it easier to disrupt not only individual schools but entire school systems. “These are no longer attackers in basements or individuals who intend to do harm for a one-time profit,” Nunn told KGLO…

2 min read