Employee Security Awareness Still Dangerously Low, Worsened by Pandemic
Negative attitudes toward security awareness training still prevail.
The “chaos factor” created by remote work has made it even more difficult for organizations to get employees to focus on security awareness.
That’s according to KnowBe4, which released its 2021 State of Privacy and Security Awareness Report on Thursday. It’s based on a random sampling of 1,000 U.S. employees in both SMB and large enterprises.
The report sought to gauge how much cybersecurity training employees get, and the impact it has on security and privacy best practices. The commissioned study asked a variety of questions on general cybersecurity and data privacy knowledge. It addition, it asked about the impact the COVID-19 pandemic had on training.
Disappointing Highlights
Highlights from the security awareness report include:
Only 48% of employees believe it is likely or very likely that their mobile device could become infected with malware if they click on a suspicious email link or attachment.
Employees trained once a month are 34% more likely to believe clicking on a suspicious email link or attachment is risky than those who receive training no more than twice a year.
Only 31% of employees feel they understand business email compromise (BEC) very well and can explain it to others. That’s despite the fact that this attack vector is a huge and growing problem that costs businesses many millions of dollars each year.
A little more than half of employees had continuous cybersecurity and data privacy training continue throughout the lockdowns caused by the pandemic.
An average of 44% of respondents were not sure whether their employer was subject to six different privacy regulations. That includes the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA).
The finance industry is the most likely to receive security awareness training. Some 91% of finance employees reporting having received some form of training.
Negative Attitude Toward Training
Perry Carpenter is chief evangelist and strategy officer at KnowBe4.
KnowBe4’s Perry Carpenter
“Honestly, we were not super surprised by the results,” he said. “In my former role as a Gartner analyst, I constantly heard security and compliance leaders lament the state of compliance training. And, frankly, the way that compliance training was positioned by vendor and organizations was that it is a necessary evil. Because there has traditionally been such a negative attitude toward this type of training, we should not be surprised when we see lackluster results. And, in general, this mediocrity has existed both on the vendor side, as well as the organizations implementing such training.”
The situation gets worse with remote work, Carpenter said.
“Employees have much less segmentation in their lives than ever before,” he said. “And organizations have a much harder struggle to capture the attention of their employees for any type of training or activity that may seem irrelevant, boring or not in tune with today’s reality.”
Compliance and Cybersecurity Awareness Are Different Concepts
Organizations should view compliance and cybersecurity awareness as separate concepts, Carpenter said.
“There is minimal overlap here, if any,” he said. “Some compliance mandates may require security awareness. But security awareness, itself, is not compliance. Security awareness is about helping people make more secure decisions. It is about driving secure behaviors. And it is about reinforcing all of that by weaving security values throughout the fabric of the organization. So, increasing cybersecurity awareness involves everything from traditional communications and training techniques, to very nuanced behavior-shaping processes and organizational culture management strategies.”
The awareness is there, but organizations do not necessarily see themselves as potentially becoming a victim, Carpenter said.
“They must realize that they could just as easily be on the other side of the coin,” he said. “Unfortunately, awareness does not always lead to proactive countermeasures to fight these sorts of issues. Hard questions must be asked of executives. Also, having a disaster preparedness plan is critical.”
Stu Sjouwerman, KnowBe4‘s CEO, calls the findings “alarming.”
“[The results] highlight the critical need to implement new-school security awareness training for every U.S. employee throughout every organization in this nation,” he said. “Going a step further to build a security-minded culture becomes essential as cybercriminals pose greater threats to business operations.”
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author
You May Also Like