More than half of businesses consider their employees to be the weakest link in corporate cybersecurity, as their actions may put company data and systems at risk. That is why companies invest heavily in educating them on basic IT security skills. In fact, leading analysts predict the security awareness training market will evolve to be worth $10 billion by 2027.
Despite this, some businesses may be sceptical about training staff on cybersecurity. Some may think that people, aware of the potential threats or not, will always make mistakes. Isn’t it a waste of company’s money to invest in courses that do not generate the desired results?
The true purpose of security awareness training is—surprisingly—not to raise awareness. It should change an employee’s behaviour online—not just inform them about the threats and measures. Based on more than 20 years of researching cyberthreats and providing cybersecurity services to eliminate ‘the human factor’ in cybersecurity, we realised that the following five educational pitfalls can make cybersecurity training ineffective.
Corporate learning and development may come in different forms: a lecture by a member of the company, a talk by an external speaker, or a computer-based course. One training course format that suits one business may not necessarily work for another, so companies should choose a format which is proven to be effective for achieving a particular skillset.
In our practise, a tedious lecture is not suitable for a training course aimed to improve employees’ practical cybersecurity skills. By using an online format, you can combine a range of content (video, text, tests) and add gamification elements that transform a lesson from a boring obligation to something much more amusing.
Such interactivity makes a cybersecurity course more attractive and engaging for employees. Moreover, an online course allows workers to progress at their own pace and spend more time on especially complicated topics. This is nearly impossible when employees attend traditional lectures.
The same qualification for all jobs
There is a belief that the responsibility of a company’s cybersecurity is everyone’s job, as the actions of each person may affect security. So, the tempting idea for businesses is to introduce security awareness training with the objective of transforming every employee into a cybersecurity pro—and make it obligatory for everybody, for ultimate peace of mind.
Nonetheless, the curriculum of a security awareness training course, which would be useful for certain employees, depends on what systems and information they have access to. Teaching employee’s things they never deal with in their life (especially at work) is not cost-effective.
Simply put, to avoid mass attacks, everyone should know how to identify obviously malicious websites, for example, like ones which ask to update software. Personnel with access to sensitive information and business critical systems should then be given a more advanced course and be able to even recognise personalised fake emails.
Often, security awareness training is designed to cover all important topics at once. However, this type of format hardly facilitates changing behaviour, as it is unlikely that all the information will be absorbed. It is believed humans are able to remember only up to a limit of seven chunks of new information.
You may know from your own experience that it is hard to perceive lots of facts and rules all at once. Content is best remembered when it is delivered in bite-sized modules, as it is less likely to blur into one piece of information or fade away. If a short lesson (which will not consume a lot of precious working time) is devoted to a single topic and offers a reasonable number of takeaways, it’s more likely that people will be able to keep in mind how they should react for a particular threat.
Lack of practise and repetition
Sometimes there is good content in the training but it’s not memorised as it should be—just because of a lack of repetition. However, it is the cornerstone of translating awareness into actions. Security training courses are often taken by uninspired audiences who might listen to instructions but are unmotivated to learn and commit them to memory.
Companies should therefore implement courses that make topics easy to remember, emphasising the most critical aspect several times. For example, to highlight the importance of strong passwords, this topic should be reinforced and mentioned several times throughout the course: in lessons about sensitive information protection, social media, email, etc.
Lack of real life relevance
The way to solve the issue of employees lacking awareness may seem obvious— increase awareness and tell employees general cybersecurity rules and policies. Unfortunately, this strategy will hardly work when the aim should be to change behaviour for the better. Most employees simply do not have a security, or even a general IT, background.
They may not understand what they should do if you simply advise them to keep their applications updated and be careful when opening suspicious attachments. To overcome this communication barrier, the learning content should be carried out by simulating potential situations an employee could face—like working with emails or surfing the internet looking for a site to download their favourite series.
In a nutshell
To be successful, training needs to be conducted in a way that not only covers all the essential topics, but makes them easy to understand and memorise. When employees are forced to spend hours of their time in lengthy training sessions, on a topic which is not part of their job responsibilities, it can be difficult to ensure they take the advice on board.
However, if the training does not take much time to complete and is easy to understand, it is much more likely for this to result in less mistakes and stronger overall security.