Cybersecurity is a global concern for companies across all sectors and industries, threatening not just their safety and reputation but growth, profitability and even future viability. The National Crime Agency reports that cybercrime now accounts for more than half of all crime in the UK and has overtaken physical theft as the most common type of fraud against businesses (ENISA).
It’s hard to think of an issue that’s more business critical, so you would expect organisations to be investing in the most effective training available to them. However, there’s evidence to suggest that cybersecurity training really isn’t being given the attention it deserves.
We’ve identified six key reasons why cybersecurity training not only needs to be prioritised but should be overhauled to give employees the tools they need to protect themselves and the organisations they work for.
1. Cybersecurity is about people
There’s a growing realisation that as well as technological measures, such as firewalls, anti-malware systems and virus detection, a strong cybersecurity strategy must address the risks posed by employees inside the organisation. In fact, 90% of companies feel vulnerable to this type of insider threat, with 53% reporting an insider attack in the past 12 months (2019 Insider Threat Report).
However, the nature of the internal threat is all too often characterised as a malicious worker, deliberately out to wreak havoc as an act of revenge or for their own personal gain. In fact, the majority of insider attacks (51%) are accidental or unintentional; employees doing the wrong thing because they lack the knowledge, skills, awareness or confidence to protect the business.
2. Not enough training is happening
The UK government’s CyberSecurity Breaches Survey 2019 found that just 27% of businesses had provided cybersecurity training in the previous 12 months. Although the study suggests the picture is better in the largest companies, the level of cybersecurity training by businesses overall remains at relatively low levels. Even where the insider threat is recognised as a key concern, lack of training and expertise is cited as the top barrier to managing the internal cyberthreat within companies (2019 Insider Threat Report).
Discover more about Cybersecurity Sorted, Sponge's off the shelf learning solution. Empower your people to spot the signs of a cyberattack and confidently respond to mitigate threats. Our seriously engaging game, gets your staff up to speed quickly and effectively.
3. The general workforce are not being trained
Having already established that the majority of businesses aren’t training any of their employees in cybersecurity, the evidence suggests that when they do offer training, it may not reach the right people. According to the CyberSecurity Breaches Survey 2019, directors or senior managers are the most likely staff group to receive training (81%), while other employees, who are not cyber or IT specialists, are among the least likely (29%). This runs counter to the fact that regular employees pose the biggest insider security threat at 56% (2019 Insider Threat Report). Clearly, it’s essential that those at the top are trained in cybersecurity, but if this happens at the expense of opportunities for the wider workforce, companies are leaving themselves open to risk.
4. Confusion over who takes responsibility
Who has responsibility for delivering cybersecurity training in your organisation? It may sound like a simple question, but the answer is often far from straightforward. The responsibility for cybersecurity is likely to sit with a specific department, whether that’s a risk, compliance, IT or technology function, however, they may or may not include training within their remit. What often happens is that an expert in the subject of cybersecurity, rather than an expert in training people, takes the lead. Where cybersecurity training is most effective, the department responsible for cybersecurity works closely with learning specialists (whether within the organisation or an external provider) to ensure training is effective and engaging.
5. Ticking a box, not changing behaviour
In the organisations where cybersecurity training is rolled out, what does it teach people? If it’s simply informing them about the corporate policy or relaying the rules and procedures, it will have limited impact. For people to do the right things to protect your business, training must allow them space to practise, so they can make good decisions and apply those safe behaviours in the real world.
In this respect, a training game, like Cybersecurity Sorted, gives employees the opportunity to build their skills and knowledge by playing over and over again, so spotting a phishing email or a hacking incident becomes second nature. It’s also a highly engaging experience that motivates employees to complete the training, rather than drag their heels because it’s boring or irrelevant to their job.
You can read more about how game help people build their knowledge and skills on cyber security in our new download on the subject: Play cybersafe: 5 ways learning games can bolster your cyber defence.
6. The cyber threat is escalating
Cyberattacks are increasing and more cybercriminals are targeting employees as their favoured point of attack. In fact, mail and phishing messages have become the primary malware infection route in Europe (ENISA). And as the threat grows so do the financial consequences: the average total cost of a data breach in 2018 reached $3.86m, an increase of 6.4% on the previous year. To meet the escalating number of attacks, companies will need to use all the available weapons to defend themselves, and that must include measures to make employees the first and strongest line of defence.
Only by rethinking cybersecurity training and empowering your people can you reduce the risk and protect your organisation from the inside out.