If you are an IT manager looking for information to present to your bosses to emphasize the need for an effective cybersecurity training program, new data from a 2021 research study might be just what you need.
Security services provider Thycotic published the survey results in a report entitled “Balancing Risk, Productivity, and Security.” The firm partnered with SAPIO Research to conduct a survey of 8,041 workers in 15 countries. The results are surprising, if not shocking, and offer several reasons for concern.
What researchers learned
The survey revealed that, although more than 85% of those polled said they felt some responsibility for ensuring that they don’t do things that could expose their organizations to increased risk, 51% of respondents believed their IT departments should be completely responsible for preventing their employers from falling victim to cyber-attacks. Many in the IT business have been a bit irritated by this mindset before, but most probably hadn’t imagined this number would be so high.
Nearly half of respondents (45%) believed cyber attacks posed little or no risk to their organizations. Perhaps that’s why, according to the Thycotic report, 79% of survey participants admitted to having engaged in at least one risky activity within the previous year. The activities included sharing their login credentials with coworkers, using personal devices at work without authorization, using the same password for multiple accounts, and even permitting their company devices to be used by family members.
Why is this happening, and what’s the reason for the lack of cybersecurity concern? Per the survey, a shockingly high 56% of respondents said they had received no cybersecurity training within the previous year. They simply don’t know they should be concerned. They’re not told that their behaviors can create significant risks for their employers or that the IT department can’t stop every attack. Because phishing is and has been for some time, the most utilized attack vector (see Verizon’s Data Breach Investigations Report at verizon.com/business/resources/reports/dbir/), the best defense against this and other social engineering attacks is user education, this lack of training is truly alarming.
Recent events increase the threat
With so many working remotely since the pandemic began in 2020, employees must be given additional training regarding risks associated with remote connectivity, using personal devices to connect to company resources, allowing family members to use company-owned devices, and maintaining the security of their home networks. Effectively, allowing employees to work remotely has transformed what had been local area networks into wide area networks, with home networks becoming part of organizational infrastructure. This significantly expands the attack surface.
Build an effective training program
Effective cybersecurity training programs are ongoing, continuously updated, and periodically evaluated to measure their effectiveness and identify areas needing improvement. They require the active participation of trainees. Merely sending out a newsletter and assuming employees are reading it, understanding the material, and retaining the information isn’t sufficient. They need to be engaged. Requiring them to participate in tabletop exercises and perhaps some classroom or online courses allows them to ask questions. Quizzes ensure that they are paying attention.
Introducing stress into the mix improves retention. An example would be simulated phishing campaigns wherein employees receive suspicious emails and don’t know whether they are real threats or fakes. Offering training employees can benefit from in their personal lives as well as at work gives them more incentive to learn and retain the information.
Monitor Employees’ Endpoints
With a service like Cybriant MDR, you can monitor and protect all endpoints on a 24/7 basis. The service includes lightweight software installed on all the endpoints you want to protect, and our team watches your endpoints for unusual activity. By using AI technology, we can detect and prevent attacks before they can fully execute. When a threat is detected, we can contain and mitigate threats from all diverse modes of attack.