Report shows a third of employees don’t understand importance of cybersecurity

Human error is one of the biggest risks in cybersecurity. All it takes for an intruder to gain access to a network is for an employee to mistakenly enter their login credentials to a phishing website or to click on a malware attachment to start a breach that can cause millions of dollars worth of damages. 

While everyone makes mistakes, there are a substantial number of employees who are completely oblivious to the security risks of high-risk behavior. 

Research from Tessian released today found that while 99% of IT and security leaders agreed a strong security culture is important in maintaining a strong security posture, 30% of employees do not think they personally play a role in maintaining their company’s cybersecurity posture. 

At the same time, only 39% of employees say they’re very likely to report a security incident, making it much more difficult for security teams to conduct investigation and remediation during a data breach. 

Overall, these findings indicate that there is a cultural disconnect between the security awareness advocated for by CISOs and security leaders, and the adherence to best practice among users “on the ground,” who take a more laissez-faire approach to implementing best practices. 

What’s causing this cultural disconnect?

When considering the cause of the cultural disconnect between employees and security leaders, the core reason appears to be that enterprises have done a poor job of communicating the importance of maintaining security-conscious behaviors. 

As a Forrester report highlighted earlier this year, many security leaders have a limited vision of how to influence employee behavior and build a culture of security awareness, and “reverted to describing their content and quizzes as ways to measure employee engagement and behavior.” 

Many of these organizations offer training experiences that aren’t engaging to users. This is highlighted by Tessian’s research, which found that only 28% of UK and US workers believe security awareness training is engaging, with only 36% saying they’re paying full attention. 

“Employees focus on what they perceive their role to be. If leadership treats security as separate from everyday work, if security is only spoken about during annual training time, people will do what matches with their perception of their job,” said head of trust and compliance at Tessian, Kim Burton. 

Security awareness training not only needs to be clear in its objectives, but consistently reinforced in a way that’s engaging for learners. In practice, that means training sessions that are personalized to provide employees with information in a format that supports their learning style. 

“It’s been proven time and again that “one-size fits all” security awareness training is not effective or engaging. Smarter, more entertaining, and tailored training can encourage employees to play a more active role in maintaining the security posture of the organization,” Burton said. 

A brief look at the security awareness training market 

The research comes as the security awareness training market continues to grow, with researchers estimating it will reach a value of $10 billion annually by 2027.

Key leaders in the space include security awareness training platform provider KnowBe4, which offers a platform for creating security awareness training programs with a library of training content including modules, videos, games, posters and newsletters. 

KnowBe4 offers support for 34 languages, and last year acquired SecurityAdvisor to add new capabilities to detect high-risk behavior in real time. The organization also recently announced it had raised $285.4 million in annual recurring revenue (ARR) last year. 

Another key player in the market is CybSafe, a provider offering enterprises security awareness training and phishing simulations, which collects behavioral event data that security teams can use to analyze and develop insights into user behavior. 

CybSafe recently announced raising $28 million as part of a series B funding round last month. 

KnowBe4 sits more in the category of security awareness training solutions that enable security teams to create and deploy training campaigns, whereas CybSafe focuses more on providing risk quantification, gathering behavioral data from employees and identifying high-risk individuals who might need further training support.   

How organizations can enhance security awareness training opportunities 

For organizations that want to enhance security awareness training, Burton says there are some key steps they can take. The first is to remove scaremongering and fear tactics, and to reward employees for their awareness rather than punishing them. 

The second is to consider how stress impacts security behaviors. If employees are stressed out and overworked, the risk of them clicking on a link to a phishing site increases. 

Encouraging employees to take total regular breaks between virtual meetings or introducing no-video meeting days can help to reduce the chance of high-risk behaviors. 

Enterprises can then compliment this further by tailoring security awareness training to account for user roles, incentives and behaviors across departments and demographics so they can have a highly personalized experience. 

It also important to set out the high-level goals for security awareness training that your organization produces. Gartner recommends security leaders develop a list of desired security practices they want to see embedded into a user’s day-to-day actions to set goals for training programs. 

This includes statements like “all end users use strong passwords,” “check links before you click them,” and “employees only transfer sensitive information via secure, approved channels.”