Cyber Security Training ‘Boring’ And Largely Ignored – Computerweekly.com

Cyber security training ‘boring’ and largely ignored – ComputerWeekly.com

fabioberti.it – stock.adobe.com
While cyber leaders overwhelmingly believe their organisations have a strong security culture, new figures compiled by email security specialist Tessian have revealed that they may be deluding themselves, exposing an alarming disconnect between security pros and the rest of the business.
With three-quarters of UK and US organisations having experienced some kind of cyber incident in the past year, a significant proportion of employees seem to regard training exercises as something to be endured, rather than engaged with.
The report, How security cultures impact employee behaviour, found that while 85% of employees participate in security awareness or training programmes, 64% don’t pay full attention and 36% consider their organisation’s security training boring.
Overall, the report found a general consensus among security leaders over what goes into making up a strong security culture, but with incident volumes remaining stubbornly high, Tessian said it was clear that those at the top had a lot more work to do.
“Everyone in an organisation needs to understand how their work helps keep their co-workers and company secure,” said Kim Burton, head of trust and compliance at Tessian. “To get people better engaged with the security needs of the business, education should be specific and actionable to an individual’s work.
“It is the security team’s responsibility to create a culture of empathy and care, and they should back up their education with tools and procedures that make secure practices easy to integrate into people’s everyday workflows.
“Secure practices should be seen as part of productivity. When people can trust that security teams have their best interest at heart, they can create true partnerships that strengthen security culture.”
The report showed how training exercises – which in many firms comprise little more than “home-brewed” PowerPoint presentations cooked up by legal and compliance experts who have no real understanding of how people engage with educational materials – are failing to impact employees across the board.
For example, 30% of respondents said they didn’t think they had a personal role to play in keeping their company secure, while 45% did not know how to, or who to, report a security incident, and only one in three said they were satisfied with their IT or security team’s communications.
Meanwhile, over half of respondents said they saw nothing inherently risky in actions such as downloading apps to work devices, sending sensitive data to their own personal email accounts, sharing passwords internally, or connecting to open or public Wi-Fi networks on work devices.
And even when it came to clearly risky actions, such as clicking on links in emails from unknown sources or opening unsolicited attachments, leaving work devices unlocked and unattended and reusing passwords, well over 40% of respondents said they didn’t see a problem.
A big source of disconnection seemed to be a tendency among leadership to use security training to spread fear and uncertainty as a motivator.
For example, half of respondents to Tessian’s study claimed to have had a “negative experience” with a phishing simulation, as evidenced by the 2021 story of a phishing test at West Midlands Trains which went disastrously wrong.
The test appeared to be an email from company leadership detailing a thank-you bonus for employees who had worked through the pandemic, and many people clicked on the link, only to find themselves being ticked off for being insufficiently security-conscious. Union officials described the stunt as “crass and reprehensible”.
According to Karen Renaud, chancellor’s fellow at the University of Strathclyde, and Marc Dupuis, assistant professor at the University of Washington Bothell, such tactics can “cripple employee decision-making, creative thought processes, and the speed and agility that businesses need to operate in today’s demanding world”.
Tessian said there were several things security leaders should be doing to engage employees better with cyber security procedures.
For example, security leaders need to play more of an active role at key touchpoints during an employee’s “journey” with the organisation, such as onboarding, role or office changes, and offboarding. Tessian said onboarding new hires represents a great opportunity to capture people’s imagination before they become cynical and jaded, while more thoughtful and comprehensive offboarding processes can help prevent critical data going missing when someone leaves.
Another thing every security leader should be doing as a matter of course is to establish clear and regular lines of communication across the entire organisation, paying close attention to how much information they share, who it comes from, via what channels, and how frequently.
Tessian offered four key pointers on how to do this effectively:
Finally, it said, there are technological solutions which, sensibly deployed, can help establish cyber “self-efficacy” within the organisation.
Tessian’s report was compiled using data gathered by OnePoll, which surveyed 500 IT security leaders and 2,000 working professionals in the UK and the US.

Digitization and digital transformation sound similar, but they couldn’t be more different in what they demand from CIOs, …
Communities of practice, agile methods, cross-functional teams and platform strategies rank among the methods IT leaders use to …
Companies preparing to send employees to tech conferences should have a COVID-19 safety plan and prepare for the possibility that…
At DEF CON 30, Eclypsium researchers detailed three new vulnerabilities in third-party Windows bootloaders that were signed with …
While several of the vulnerabilities were reported to Cisco in February, they remained unpatched until Thursday when Rapid7’s …
Researchers with Palo Alto Networks took the stage at Black Hat to explain how configurations and system privileges in Kubernetes…
Distributed IT environments increasingly require automated networks, and AIOps can provide the answer for network operations …
Vendors are offering private 5G in a box — a condensed and streamlined form of standalone 5G — to simplify the complexity of …
With help from AI and machine learning, Wi-Fi sensing detects movement in the Wi-Fi environment. While it sounds promising, the …
Blockchain has been a significant contributor to the global chip shortage. Explore the role this rising technology has played.
Congress approved the CHIPS Act and billions more for scientific research to help the U.S. better compete against China in …
From Infineon and Oxford Ionics’ partnership to Cambridge and Honeywell’s merger and QCI’s new Entropy Quantum Computing, explore…
Use of cloud databases is surging, but there are still reasons for on-premises ones. Here’s a comparison of cloud and local …
Nikita Ivanov details the origin of his company and discusses the growing need organizations have for real-time database …
The co-creator of the open source project at Facebook reflects on 10 years of growth as he helps lead one of its resulting tools …
All Rights Reserved, Copyright 2000 – 2022, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info

source

Leave a Comment

Leave a Reply

Your email address will not be published.

ComTech Gold $CGO becomes the first 100% Gold backed token – ZAWYA

Why cybersecurity should be your physical security priority – Security Magazine

Feds push for developers to take lead in securing software supply chain – Cybersecurity Dive

Secure Collaboration in the Hybrid Workplace – Commercial Integrator