Some of you have already started developing your 2024 budgets and allocating funds to areas of security within your organization. It’s safe to say that employee security awareness training is also an expense item. However, its effectiveness remains an open question as people still engage in unsafe behaviors in the workplace. Additionally, social engineering remains one of the most prevalent attacks, followed by successful data exfiltration. Microsoft found that a popular video-based training format reduced phishing clicks by approximately 3%. Microsoft says this number has been stable for years, while phishing attacks have increased year by year.
Regardless, organizations have confidence in training and tend to increase their security investments in employee training following an attack. According to IBM Security’s 2023 Cost of a Data Breach Report, it ranks second on 51% of organizations’ priority lists, right behind incident response planning and testing.
So, how does security awareness training keep us from giving up? We reviewed surveys, spoke with IT security engineers, and discussed training content with the creators of new cybersecurity courses.
People want to learn but don’t have the time
Ineffective training can no longer be justified by a lack of employee interest. A staggering 64% of respondents to the CybSafe research survey asked for time to be allocated to integrating security awareness courses into their work schedules. On top of that, 43% of employees find engagement and interactivity more attractive than financial rewards, indicating they want dynamic and useful experiences. As CybSafe puts it, “This shows that employees value integrating training into their daily work rather than extrinsic rewards.”
Time is the most important resource in cybersecurity learning. Employees are often expected to meet delivery conditions within a short period of time. In a fast-paced work environment, it’s easier to skip long training sessions and complete daily tasks to meet KPIs.
But some cybersecurity professionals are ready to adapt to current work styles and short attention spans. Cybersecuritoons is a cyber security course designed to provide security basics in just 1 minute and 30 seconds. Instead of the usual lengthy videos and presentations, Cybersecuritoons features four short comics covering four main topics: passwords, phishing, remote working, and malware. Overall, the entire course takes 6 minutes.
Cybersecuritoons were created by a team of experts at Moonlock, the cybersecurity division of software development company MacPaw. “Moonlock’s mission is to make online security accessible to everyone,” said Oleg Stukalenko, lead product manager at Moonlock. “First, we integrated our own anti-malware technology, the Moonlock Engine, into one of the most popular macOS cleaners on the App Store. One – CleanMyMac
Moonlock gets to the point by choosing to keep things brief. Content creators can no longer count on people’s undivided attention, and this applies to online safety content as well. In busy work situations, a brief training followed by relevant practical and interactive courses is a more preferable and effective way to review cybersecurity knowledge.
Human solutions to human error
Stress, pressure to complete tasks on time, and burnout are the reasons why humans make mistakes and engage in social engineering hacks. When Tessian surveyed employees for the Psychology of Human Error report, 50% of respondents said they were stressed because they didn’t have time to send the wrong email to the wrong person or send the wrong attachment.
Security departments may install state-of-the-art technology across several lines of defense, but it only takes one human click to render all tools and firewalls redundant. No matter what form it takes, awareness training is a gentle reminder of everyday life that can save our organizations from millions of dollars in financial and reputational damage. IBM Security said there was a $1.5 million (33.9%) difference in the cost of a data breach between companies with higher and lower adoption of workplace security awareness training.
The reality is that we must teach our employees to be better gatekeepers of enterprise security technology. Together we have the tools to create a human dimension of resilience against cyberattacks and directly impact the shaping of the security design process within our organizations. Statistics relentlessly show that most attacks can be prevented by adhering to minimal security practices. That’s why we’ll be seeing more content like this on cybersecurity in the near future: short, designed for different levels of security expertise, and easy to access. In fact, the cybersecurity training market is expected to reach $10 billion by 2026. This is still far behind the annual revenue of approximately US$1 billion in 2014.
How giving back changes awareness training
As with any human-centered approach, building human firewalls should take into account the fact that humans are different. This enables security teams to continually review their security awareness training strategies. They’re shifting their perspective from formal education to equipping colleagues with tools to help security professionals respond to cyberattacks.
MacPaw, a software development company and home to Moonlock and Cybersecuritoons, believes that the security of an organization depends on the entire team. Artem Bovtiukh, IT security engineer at MacPaw, says that while the primary goal of regular awareness training is to remind you of the basics of security hygiene, the most important thing is to foster a feedback-based security culture within the company. “The effectiveness of the training can be seen through our internal audits. But the most valuable result is how our colleagues pay attention to suspicious incidents and report them to us,” says Artem.
Feedback also helps security teams shape how training is implemented. Artem noted that everyone can come to them with questions, doubts and opinions about everyday cybersecurity issues. All of this will be taken into account in the composition of subsequent employee training. “Our experience shows that the best motivation for completing safety meetings is not the time of completion or simply the fact that it was completed,” shares Anastasia Hutorova, Learning and Development Specialist at MacPaw. “We are transparent about the training objectives, its impact, how it aligns with business goals or/and company OKRs, and the role it plays in the professional development of our associates.”
MacPaw encourages all teams to take a few days off to read security awareness materials. Under the policy, all team members can take advantage of dedicated education days to focus on learning new knowledge, including cybersecurity. Going back to lack of time as the main reason why employees skip training or engage in unsafe behaviors at work, the idea of allocating dedicated time sounds very reasonable.