A recent survey conducted by Mimecast has produced some interesting security awareness training statistics for 2018. The survey shows many businesses are taking considerable risks by not providing adequate training to their employees on cybersecurity.
Ask the IT department what is the greatest risk cybersecurity risk and many will say end users. IT teams put a considerable amount of effort into implementing and maintaining cybersecurity defenses, only for employees to take actions that introduce malware or result in an email breach. It is understandable that they are frustrated with employees. Most cyberattacks start with end users. By compromising one device, an attacker gains a foothold in the network which can be used as a launchpad for further attacks on the organization.
However, it doesn’t need to be like that. Businesses can create a strong last line of defense by providing security awareness training to employees to help them identify threats and to condition them how to respond and report issues to their IT team. The problem is that many businesses are failing to do that. Even when cybersecurity training is provided, it is often insufficient or not mandatory. That means it is only partially effective.
Mimecast’s security awareness training statistics show that. Only 45% of organizations provide employees with formal security awareness training that is mandatory for all employees. 10% of organizations have training programs available, but they are only optional.
Delve deeper into these security awareness training statistics and they are not quite as they appear. Yes, 45% of organizations provide mandatory cybersecurity training but, in many cases, it falls short of what is necessary.
For example, only 6% of organizations provide monthly training and 4% do so quarterly. So just 10% of the 45% are providing training frequently and are adhering to acceptable industry standards for security. 9% of the 45% only provide security awareness training when an employee joins the organization.
The training methods used suggest security awareness training, for many organizations, is more of a checkbox item. 33% provide printed lists of cybersecurity tips or email tips even though many employees will simply ignore those messages and handouts.
30% issue prompts about potentially unsafe links, yet little is done to stop employees actually clicking those links. Employers are instead relying on their employees to know what to do and to take care, even though formal cybersecurity training is often lacking and they lack the appropriate skills. Only 28% are using interactive training videos that engage users.
These security awareness training statistics show that businesses clearly need to do more. As Mimecast suggests, effective security awareness training means making training mandatory. Training must also be a continuous process and simply handing out tips is not enough.
You need to engage employees and make the training more enjoyable and ideally, humorous. “The easiest way to lose your audience is by making the training boring, irrelevant, and worst of all, forgettable.”