The statistics outlining today’s security and cybersecurity challenges are alarming and, frankly, frightening. Thousands of corporate data breaches are reported in basically every industry — and those are just the incidents that get reported. What’s worse is that with hundreds of thousands of organizations estimated to be impacted by certain breaches, more than a third of them didn’t get detected at all.
Of course, part of this growing challenge is a sophisticated, evolving and ever-expanding threat landscape. In this challenging context, a key pillar involves people themselves. No matter how much innovative cybersecurity technology and expertise organizations are throwing at the problem, employees remain vulnerable to phishing, social engineering and other attacks aimed at stealing passwords and user credentials.
While security tools can help reduce these threats, data can’t ultimately stay safe unless all employees learn how to recognize when they're the target of an attack and know what to do — and what not to do. Security leaders and organizations need to continually stay updated on new types of threats and can’t afford to forget the precautions they've already learned. While this seems obvious, and most organizations provide some level of security awareness education to employees, there are still a number of challenges in security training that leave institutions exposed to threats. What are they, and more importantly, how do we respond to them? Read on.
Security Content Gets Too Outdated Too Quickly
Security threats constantly evolve, so what companies do to protect themselves today may not stand up to threats that emerge tomorrow. That means employee security awareness programs can quickly become outdated — failing to educate employees about the current threats and latest attacker techniques and how to recognize them if the programs themselves aren’t up-to-date on emerging threats.
While most organizations have annual training, programs can’t be one-and-done. There must be ongoing, dynamic courses and resources to continually incorporate new materials based on new and evolving threats.
To ensure their effectiveness, security awareness training programs should seamlessly integrate into the routines and schedules of employees in a continuous manner. Criminals don't wait a year before updating their skills. Neither should employees.
Employee Participation Remains Low
It’s always difficult to achieve 100% employee participation, but it doesn't help that many security awareness solutions seem almost designed to discourage participation. Complexity, length of courses and even access issues can all hinder employees from engaging with, let alone learning from, security training.
Removing friction and resistance is core to any successful program. Instead of requiring attendance at particular times or intervals, make the course content as convenient as possible, weaving it into employees’ daily routines rather than creating a burdensome addition. Content in short, consistent bites can be effective as well, so employees can fit training into their daily schedules without a huge time commitment.
Employees Lose Interest and Forget What They Learn
Many training programs are repetitive, uninteresting or too bloated with content to have much of an impact on retention. Plus, science has shown that learners will forget a vast majority of what they learned within a day.
To combat fatigue and information retention, select learning programs that offer fresh, relevant and stimulating content. Enlist well-established techniques like interactivity, clarity, relevance and even gamification to make the material more engaging. And do this more consistently — via microlearning — which strategically breaks content into frequent, engaging lessons that refresh a learner’s memory soon after being exposed to new material. This is key to retention.
Security Programs Are an Administrative Burden
Security awareness programs are a lot of work for administrators. IT and security staff are often responsible for selecting and assigning courses, creating or curating content, following up with users and dealing with the related chores of managing training platforms, like credential and user management. Fully managed programs can remove the legwork of creating, assigning and delivering an ongoing awareness curriculum. This approach ensures that content is kept up to date and is complete, maintaining a managed program that is high-quality and engaging.
Security Programs Focus on Compliance, Not Results
Many security awareness programs are often in conflict over what may satisfy regulators versus what’s necessary to actually stop breaches to begin with. Even if annual compliance training meets a "reasonable effort” to train employees, what really matters is preventing breaches and protecting an organization, its customers, shareholders and partners — as well as the broader public.
Regulatory compliance is important, but it's the wrong metric to focus on when implementing a program. Security awareness efforts should be judged on measurable reductions in intrusions, breaches, damage and, ultimately, cyber risk.
Of the multitude of challenges facing the security industry today — and the professionals working in this field — gaining more engagement and employee understanding of their role in protecting an organization should not continue to be such a burden.
When programs become results-oriented and tailored to the way employees want to learn, organizations develop a culture of security. Security awareness and training programs should be specifically designed to build that culture and help ensure all employees participate, learn, remember and routinely apply the learned material. The goal isn't to check a box once a year — it's to reduce risk. And it’s time employees fully embrace their role in achieving that goal with programs that can help them establish a security-first culture.