While training is important to reduce data breaches, it’s more about quality than quantity
More cyber security awareness training for employees does not equate to fewer security incidents for businesses, according to a new report from email security software company Tessian.
In The State of Data Loss Prevention 2020 report, the company found that IT leaders count security awareness training and ‘following company policies and procedures’ as the most effective ways to prevent data loss.
More than half (61%) of employee survey respondents have training every six months or more, while industries such as financial services and healthcare have it even more frequently.
Chief information security officers (CISOs) and chief information officers (CIOs) are usually tasked with providing the training for staff, and this has become even more important in light of the pandemic, as organizations have had to quickly shift to remote working, meaning there are new cyber threats facing employees and businesses.
By educating employees on best practice in regards to data-sharing, data storage and data loss, organizations hope that there is a reduced chance of any data breaches.
However, the Tessian report found that the percentage of employees who admitted to sending emails to the wrong person was the highest in organizations that provide security awareness training the most frequently. Nearly two thirds (63%) of employees who receive training every one to three months say they remember sending emails to the wrong person.
This drops quite significantly to 43% in organizations that conduct training once a year or less often. In addition, employees who receive training once every one to three months were almost twice as likely to say they’ve sent company data to personal email accounts as employees who received training just once a year.
Allen Look, former CISO of the SI Group suggested that while user awareness was a big deal and training programs were key, a lot of organizations did not have a follow-up to training.
Perhaps employees should be frequently tested to ensure they’re up-to-date on policies, or be rewarded when they spot phishing scams.
While the survey data may suggest that there was some fatigue caused by excessive training, Jim Gumbley, cyber security principal at technology consultancy ThoughtWorks, suggested this may not be the case and that there are many factors in play at the same time.
“From experience, quality can be more important than quantity. If training is dry and carried out for compliance purposes only, it will not have much effect. To change behaviour, the training needs to be engaging and lock into the things which influence how folks think about security and act around sensitive data – this includes highlighting ‘why’,” he says.
There also has to be consideration of both the different types of personalities within a company, and the organization’s overall culture
“Some people are more conscientious whereas others are more erratic. Different personality types are drawn to different types of work. That is going to affect how receptive they are to the messages in training. Meanwhile, awareness training tailored to an organization’s particular culture and risk profile will prove more effective than off-the-shelf training,” he says.