Despite the growing implementation of security awareness training, recent research indicates that over half of cybersecurity professionals are concerned about security behaviours within their organisations.
Key Findings from the Survey
A survey conducted by ThinkCyber has revealed significant insights into attitudes towards security awareness training. Participants were asked to identify the security behaviours that posed the most concern in their organisations. The top issues were:
- Clicking on links in emails (53%)
- Sharing corporate data outside of the business (53%)
- Sharing usernames and passwords (51%)
The study also found that a quarter of cybersecurity professionals are sceptical about their colleagues changing their behaviour with the current security awareness training. Moreover, 60% admitted they only receive training once every few months or even just once a year. As threats become more sophisticated and frequent, it’s crucial to provide regular and consistent training to remain effective. Without keeping up with the latest threats, organisations risk becoming vulnerable and outdated.
The Importance of Contextual Training
Tim Ward, CEO at ThinkCyber, stresses the importance of delivering security awareness training in the moment when it can be directly contextualised by the recipient. “This approach not only enhances comprehension by linking awareness to an immediate and relevant situation but also serves as a proactive nudge towards safe behaviour,” he explains. “By intervening precisely when a risky action is about to be taken, individuals are more likely to understand the specific dangers and consequences associated with their actions. This timely intervention ensures that the lesson is not abstract or theoretical but grounded in a real-world context, making it more impactful.”
Imagine an employee receiving a phishing email that looks like it’s from their bank. If they’ve recently completed a training module on identifying phishing attempts, they’re more likely to recognise the red flags and avoid clicking on the malicious link.
Measuring and Tracking Effectiveness
Organisations must measure and track the progress of their security awareness programmes to determine their effectiveness and make necessary adjustments. When respondents were asked whether their business had a way to identify the user groups engaging in concerning behaviours, almost half (49%) said they did not for all behaviours causing concern.
Additional findings from the survey included:
- 42% of respondents felt that their organisation could not even somewhat prove whether their current security awareness training is changing risky behaviours.
- Half of respondents said they would not feel free from repercussions if they reported a mistake within their organisation.
- 51% of respondents believed that most people across the business were focused on security, whereas 39% felt only the executives and security teams were focused on it.
Time for Re-evaluation
When numerous security experts admit that their organisation’s security awareness training isn’t effective, it’s a clear sign that something needs to change. Ward adds, “Cybersecurity should be a concern for everyone, so pinpointing which user groups need extra help with safe practices is crucial for any business. A training programme that’s flexible and enjoyable can make all the difference, boosting staff engagement and giving cyber professionals greater confidence in their team’s ability to make smart security decisions.”
A company that regularly updates its training materials and uses engaging delivery methods, such as nudge theory, sees higher participation rates and better information retention among employees. This proactive approach helps reduce incidents of data breaches and other security issues.
Top 3 Ways to Improve Security Awareness Training
- Deliver ongoing training – Annual training isn’t sufficient. Security awareness training should be provided to employees regularly to maintain awareness and keep them updated with the latest cybersecurity threats.
- Drip-feed content – When asked how they prefer to receive security awareness training, 70% of respondents said they want to keep their knowledge fresh, and that little and often works best. Delivering the content of your security awareness programme in small, bite-sized segments helps maximise engagement and reinforce ongoing awareness and learning outcomes.
- Measure engagement levels and progress – Measure behavioural impact as well as engagement. Measuring engagement levels offers a leading indicator of progress, but behavioural impact shows the effectiveness of the programme in reducing risk and highlighting user groups that display risky behaviour.
