Blog
3 Reasons Your Cyber Security Awareness Training Stinks
In today’s digital age, the number of cyber attacks continues to increase year after year. As this growth continues, cybersecurity should be at the forefront of every organization’s priorities. How exactly do you protect against these types of attacks? The simple answer is cyber security awareness training.
Cybersecurity awareness training is a way of teaching employees the best password practices, how to spot phishing attacks, and how to keep their mobile devices secure. It’s no surprise companies everywhere are implementing this type of training since cybersecurity awareness programs have one of the highest ROIs of any security investment. But why?
Employees always have been and likely always will be the weakest link in your security armor. No matter how extensive your security technology is, all it takes is one unaware employee clicking on a phishing link to expose the entire organization. After all, users on average open 50% of phishing e-mails and click on links within the first hour.
But don’t take my word for it. Here’s what the National Small Business Association had to say to the House Committee on Small Business last week:
“the level of risk for being a target of cyber-crime is high, 42 percent of small businesses surveyed by the NSBA reported being a victim of a cyber- attack, with cyber-attacks cost an average $32,021 for companies whose business banking accounts were hacked, and $7,115 on average for small businesses overall.”
The problem with cybersecurity awareness training, however, is that many organizations don’t put in the necessary time and effort, and they end up making one of the following mistakes. Take a look and see if you’re making any of these with your cybersecurity awareness program.
Reasons Why Your Cybersecurity Training Program Stinks
1. It’s Static, Once-a-Year Training Program just to check a box:
Just having a cyber security awareness training program is a good thing, but training only once a year with a static program isn’t going to cut it in the long term. Let’s face it. Having staff passively sit in a conference room (or watch a video) once in a while will generate more yawns than knowledge retention, plus they will likely have their guard down a few days later.
You need to make sure the training program is interesting, easy to understand, and updated regularly. Cyber criminals and cyber threats are constantly evolving and adapting to thwart security technology, and your cybersecurity awareness training program should do the same. Be sure to keep it easy to understand and to touch on all the essentials like phishing protection, password basics, securing mobile devices, and using public Wi-Fi.
2. Management Doesn’t Convey the Importance of Training to Employees
Sometimes even if the awareness program in place is helpful, insightful, and repeated multiple times throughout the year, it can be useless if management doesn’t stress its importance. Make sure that employees not only participate in security awareness training but that they also understand how important it is. A great way to stress that importance and show your staff you are committed to the training is to go through it yourself. After all, busy Executives can be more vulnerable than anyone else in the organization.
You can also take them through and show them real-life examples of how devastating a phishing attack can be on a company so they understand the potential consequences. The more emphasis management puts on the importance of security awareness training, the less vulnerable the organization is to cyber attacks like phishing.
3. The Training Program Doesn’t Measure Vulnerabilities over Time
The most important aspect of a successful cyber security awareness training program is that you can identify who the weakest links are in your organization. While a couple of quick training sessions per year may be enough for most employees to be able to spot a phishing attempt, some employees may need something more in-depth. By implementing real-life phishing simulations and the necessary tools to track performance, you can help measure vulnerabilities over time and identify the weak links that might need some extra training. It’s been proven that more practice does lead to lower success rates for phishing attempts, which is essential for any organization when an astounding 91% of cyber attacks start with a phishing email.
For all these reasons, at Envision, we base our client’s training on the premise that real-life practice is what makes people internalize the material and truly reduces the risk of a phishing attack. We take a short, engaging video training series and combine it with unexpected test phishing emails that the employees receive regularly and look very much like one they could receive from cyber criminals, allowing them to see real-life scenarios and learn what they did wrong. If you think your security awareness training program could use some work, now you know who to call!