The most recent Verizon Data Breach Investigations Report reveals the human element continues to be a key driver of 82% of breaches, including social attacks, errors and misuse. Undoubtedly, human error generates massive security headaches. Meanwhile, the rate and cost of cyber breaches continue to climb. Why is it then that over half of employed people don’t have or don’t use security awareness training?
Maybe security teams don’t believe in security training. Or maybe they don’t know exactly what kind of training works. Is there any data to back up best practices? Let’s find out.
Employee High-Risk Liability
Employees in the average company have the ability to access a vast repository of information. An average of 10.8 million files are at the disposal of each worker. Employees at larger organizations have access to as many as 20 million files.
A recent study found 64% of financial services organizations allow their employees to view more than 1,000 sensitive files without any restrictions. As many companies have moved to remote or hybrid work, IT teams must prioritize their security measures to ensure that their sensitive data is protected from attack. Firms must also consider compliance with regulations like SOX, GDPR and PCI, which can expose companies to serious legal consequences.
If we look at password practices, a study by Cybsafe found that 29% of participants created passwords consisting of a single dictionary word or name. Only 16% of participants reported creating passwords over 12 characters long, which goes a long way for password security.
Around 36% of participants reported using unique passwords only half the time or less, while another 36% changed their passwords every few months. Surprisingly, 35% of participants admitted to only making slight modifications to their passwords, such as changing a character or two.
For these reasons alone, cyber hygiene makes a lot of sense. But does it work to prevent attacks?
Does Security Awareness Really Work?
Everyone who talks about human error will eventually mention employee training. But does it really change workers’ online activity? Even more important, does training mitigate the risk and cost of a security breach? The Cybsafe report supports that employee habits do change after security training.
For starters, 57% of individuals who received cybersecurity training accessed it through their workplace or educational institution. Only 28% accessed it from their home environments. Among those who received training, 59% completed one-time courses, while 24% received ongoing training over a set period. Unfortunately, 48% of employed people surveyed do not have access to cybersecurity advice or training, and 9% have access but don’t use it.
According to the study, 58% of the participants who received cybersecurity training reported an improvement in their ability to recognize phishing messages. Also, 45% of those trained said they had begun using strong, unique passwords. Here are some other security practices people self-reported implementing after the training:
- Using multifactor authentication: 40%
- Using a password manager: 35%
- Regularly installing updates: 40%
- Backing up data: 34%.
Ongoing Training Matters
As mentioned, over three-fourths of respondents in the Cybsafe report did not receive ongoing training. This may be a huge mistake.
A paper presented at USENIX SOUPS assessed the lasting impact of phishing training. In the study, researchers conducted periodic tests at regular intervals to see when the employees would lose their ability to identify phishing messages. They divided the employees into several groups and tested them four, six, eight, 10 and 12 months after receiving an in-person phishing training session.
The research team discovered that participants were able to accurately spot phishing emails four months after their initial training. However, this ability diminished after six months and beyond. The team recommended conducting new training sessions to maintain the employees’ proficiency in identifying phishing threats.
Which Type of Cyber Awareness Training Works Best?
While it makes sense that training is important, what techniques work best? Is there any data on this?
In the USENIX SOUPS paper, researchers looked at four different reminder measures distributed among four separate groups: text message, video, interactive examples and a brief text. One year after the tutorial, the researchers compared the retention of knowledge among the four reminder groups. The results showed that the video and interactive measures were the most effective. Their impact lasted at least six months after they were implemented.
Additional research was compiled by cyber expert Nipon Nachin writing for the Information Systems Audit and Control Association (ISACA). He summarized that to raise awareness about cybersecurity, organizations have employed many techniques, such as security posters, intranet content, screensaver information, in-person training, videos, simulations and tests. One study has found that using the intranet as a platform for security awareness was the most effective approach listed. It is essential that employees comprehend the organization’s security policy to maximize the impact of security awareness efforts.
One highly effective approach to building security awareness is to send simulated malware emails to test users’ knowledge. Another novel method is using games to educate employees, although this approach does not appear to be as impactful as using videos.
Both Technology and a Human Element are Needed
Organizations continue to be highly vulnerable to breaches based on human error. While technological tools are indispensable to thwart attacks, one wonders how much more should be done to support cyber hygiene. If over half of all employees aren’t getting or aren’t using security training, it’s evident that the gap is large.
What about the cost-benefit? The cost of employee cybersecurity training varies depending on the size of the organization and the type and frequency of training (in-person vs. remote). On average, training costs approximately $5 per user per month. And the time invested only needs to be a few minutes per month. When it comes to cybersecurity spending, that’s dirt cheap. The key is constancy and repetition.
Some estimates show that companies spend an annual average of $2,700 per employee on security. For $60 more, they might go a long way to fill the human error gap.