Security awareness training: everyone’s responsibility

Chris Dunne, Digital Marketing Manager

Years, even decades into the digital age, cybersecurity has evolved—and the pressing need for it has grown, too.

The latest Hiscox Cyber Readiness Report found that 61 percent of worldwide respondents reported a cyber incident last year, up from 45 percent in the previous report. Yet the same research found that 74 percent of respondents were novices when it came to cybersecurity readiness. In other words, there are more threats yet fewer organizations adequately prepared to handle the evolving dangers.

Of course, most IT and cybersecurity teams actively strive to safeguard company systems and data. And although due diligence on the technical side is critical, everyone in the organization carries some responsibility to protect digital assets. Security awareness training provides an important component of building a culture of compliance and, ultimately, defending the company from the threats that are ever present.

Why training is overlooked

Unfortunately, security awareness training isn’t taken as seriously as it should be by today’s non-IT managers and executives. Often, cybersecurity is viewed as IT’s responsibility, something rank-and-file employees don’t need to concern themselves with. Furthermore, the conventional—and inaccurate—wisdom is that data breaches and IT catastrophes are the results of external threats, and that as long as you protect yourself against the hackers, you’re relatively safe.

However, a large percentage of data breaches are caused by internal actions, whether employees are clicking on bad links that introduce ransomware, exposing passwords and other confidential information, or working remotely without any regard to data security. Although there often are bad guys on the receiving end of these careless actions, ultimately, it’s still employees handing over the keys to the kingdom. Security awareness training delivers knowledge and best practices so that employees know their vital mission to keep company, customer, and employee information secure.

The ROI of security awareness training

Data breaches are incredibly expensive. According to a report by the Ponemon Institute and IBM, the average cost per breach globally is $3.92 million, a number that jumps to $8.19 million in just the United States. Lost company information, lawsuits from compromised customer data, regulatory fines, reputational damage, and the costs of fixing system damage contribute to lost revenue. The ROI of security awareness training may not be instantly apparent, but the money you aren’t losing is money saved—and these savings are easily achieved with quality learning.

Training to the rescue

In theory, rank-and-file employees know they should use strong passwords that are changed often, not open suspicious emails, and take care not to log into company accounts on public Wi-Fi. Yet those best practices aren’t followed, often because they’re just a warning people read someplace and don’t take too seriously.

Quality security awareness training transforms those little alerts into an immersive experience in which employees interact with scenarios directly relevant to their everyday roles and tasks. As a result, they better understand why cybersecurity is their responsibility and how to apply those best practices to everything they do. Muscle memory builds, which subsequently protects the organization by minimizing employee carelessness.

On a larger scale, security awareness training accumulates data from employees as they take the courses. These metrics allow organizations to see weak spots and vulnerable areas that would have gone unnoticed. The data also can identify departments, branch offices, and even regions that are underperforming or may be headed for trouble in the future—this insight informs strategy not only in adjusting training, but also in implementing controls and policies to stave off data breaches before they happen.

A culture of security

Effective training contributes to a larger culture of safety and security throughout the organization. Employees realize that they aren’t just beneficiaries of good cybersecurity, but also part of the solution. Moreover, the efficacy of training can be strengthened with the following tactics:

Adaptive training: Instead of taking employees through a course question by question in a linear path, adaptive training automatically adjusts to the user and their interactions with the course. Employees emerge from training with a unique learning experience knowing what they need to know to make good cybersecurity decisions.
Microlearning: Learning doesn’t need to stop when the formal training course ends. Microlearning delivers training in small pieces, delivered to employees’ inboxes, as reinforcement—no matter if the person struggled with concepts or mastered them—or to introduce new subjects.
Job aids: Training gives employees the knowledge to make good security decisions; job aids offer handy references to confirm those decisions. These digital resources can be consulted whenever an employee needs an extra boost in a compliance situation.

Don’t go it alone

Some organizations don’t know where to begin with security awareness training, daunted by the idea of designing these resources in-house. A sounder approach is to partner with a top-notch compliance training vendor that emphasizes innovation, progress, and results. Such a partner can help your company build a compliance training ecosystem that inspires learning all year long. In this way, employees are always prepared for whatever cybersecurity threats, internal or external, they may encounter.