Security awareness training key to changing security culture

3 Steps to Better Cybersecurity Training

As users receive more security awareness training, their ability to effectively deal with security threats increases, reveals a new study by MediaPRO, co-sponsored with Osterman Research. The report also found that boring security awareness training doesn’t make employees want to be secure.

“Our research found that users who found training to be ‘very interesting’ were more than 13 times more likely to make fundamental changes in the way they think about security compared to those who found the training to be ‘boring’,” said Michael Osterman, researcher and president of Osterman Research, who conducted the study.

The research supports the claim that employees get far more benefit out of interesting and engaging training, joining facts such as “the sky is blue,” and “water is wet.”

As users receive more security awareness training, their ability to effectively deal with security threats increases, the report found. The “before-and-after” picture displays that users who are properly trained are much more likely to spot phishing attempts, business email compromise, and other cybersecurity threats than are their untrained colleagues.

The study, Security Awareness Training as a Key Element in Changing the Security Culture, surveyed both everyday employees and IT managers and decision makers to gauge opinions on the current state of security training and awareness. The work was co-sponsored by training and awareness firm MediaPRO, who wouldn’t know how to produce boring training if you gave them directions.

Other key takeaways from the report include:

IT, security, and business leaders – while generally wanting to establish a strong cybersecurity culture within their organization – are somehow not conveying that idea effectively to a large proportion of their employees.
Security awareness training is perceived to be as important as technology in dealing with security threats and organizations will be devoting more employee time to training over the next year.
Approximately 45 percent of employees surveyed expect to spend 15 minutes or more per month in training by mid-2021; up from 26 percent in 2020.
Senior IT and business management are much more enthusiastic about security awareness training than are non-management employees.
Security and IT leaders, their staff members, and business leaders are largely onboard with the idea that developing a strong cybersecurity culture is important; everyday employees, however, are much less convinced about the importance of doing so, indicating that the goal of developing a robust security culture has not yet been achieved in most organizations.

“Security awareness training doesn’t do anyone any good if they sleep through it. You can deliver the best security advice in the world, but if no one is listening, you might as well be talking to a brick wall” MediaPRO Chief Strategist Lisa Plaggemier said.

“Good security awareness training should get and keep your attention. That’s what it means to be engaging.” Plaggemier continued. “The reality is that nobody is immune from attacks. It only takes one click, which can happen in the blink of an eye, before you even realize what you’ve done. Think of how quickly we all move through our email on busy days. Add to that the stress of COVID. Simply put, human beings are fallible. It’s critical that organizations provide engaging employee training that drives home just how much information is available about all of us.”

To find out more, including detailed findings on what is the best format to deliver training, visit the report here: https://www.mediapro.com/report-security-awareness-training-key-element-security-culture/

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

A head of state needs heart surgery at your facility. High-profile members of a national sports team are getting updated vaccinations. What do you do when you get the call?