Why It's Time To Overhaul Cybersecurity Training For Employees
Two key factors have converged to make cybersecurity a big issue for organisations across all sectors and industries. Firstly, the level of threat has reached new heights with cybercrime overtaking physical theft as the most common type of fraud against businesses (ENISA). And secondly, the introduction of GDPR, the new regulation governing data protection in the EU means that businesses are now obliged to report certain types of cybersecurity breaches.
Increased threat combined with greater public visibility is keeping cybersecurity high on the C-Suite radar. In fact, cybersecurity has had a place in the top 5 on the list of business threats reported by CEOs for the past two years (PwC). In response to this strategic challenge, you might expect cybersecurity to be a priority for L&D teams. Certainly, some organisations are investing in programmes to raise employee awareness and knowledge of cybersecurity. However, there’s also evidence to suggest training in this area isn’t getting the attention it deserves.
7 Reasons To Act
We’ve identified 7 compelling reasons to act now to ensure cybersecurity training is fit for the challenge ahead. Using data on cyberattacks and security from across the world, we’re making the case for an overhaul of cybersecurity training. Now is the time to review how you support your employees to stay cyber safe in the face of an escalating threat.
1. People Are The Weak Spot
It’s easy to assume that a cyber threat requires a technological response, and of course, that’s part of the defense against the hackers. However, as firewalls, anti-virus protection, and malware defense systems become more sophisticated, the hackers are looking for an easier way in, and that means targeting the people in your business.
The insider threat, where employees facilitate a cyberattack, is now the most common source of a security breach; 53% of companies have reported an insider attack in the past 12 months and 90% feel vulnerable to the insider threat (2019 Insider Threat Report). Most of these insider attacks (51%) are accidental or unintentional, involving staff doing the wrong thing because they lack the knowledge, skills, awareness or confidence to spot the threat. This suggests people either aren’t getting the training they need or that they’re not getting the right training at the right time.
2. Where’s The Training?
So, what is the level of cybersecurity training provision for employees today?
It’s a mixed picture, but data from the UK government suggests part of the problem is not enough training is taking place. A 2019 survey of businesses found that just 27% had given their employees any cybersecurity training in the previous 12 months (Cyber Security Breaches Survey 2019) [1]. And, when asked what was stopping them, businesses cite "lack of training and expertise" as the top barrier in managing the internal cyber threat (2019 Insider Threat Report).
3. Don’t Forget The Frontline
Even where training is taking place, it may not be aimed at the employees being targeted by hackers. Regular workers pose the biggest insider security threat (2019 Insider Threat Report), but they are the least likely group to receive cybersecurity training (Cyber Security Breaches Survey 2019). Senior managers are, by far, the priority for cybersecurity training (81%) according to UK government data. While this is encouraging from a leadership perspective if it means training opportunities are not extended throughout the workforce, it could be playing into the hands of the hackers.
4. Eradicate "Tick Box"
Making good decisions and applying safe behaviours needs more than an information-heavy training course. An eLearning game, allows people to build knowledge and skill by playing repeatedly. Players practise tasks, like spotting a phishing email or hacking incident, over and over again, until they reach mastery of the topic when they complete the game. This helps them to apply what they’ve learned much more effectively in the real world.
Another bonus is that a game is a much more engaging and enjoyable way to learn about cybersecurity, which in turn, drives participation, overcoming problems around "compliance fatigue" and "content boredom." This all helps to move cybersecurity training from a "tick box" exercise to a means for real-world behaviour change.
5. Trust The Learning Experts
You might expect responsibility for cybersecurity to sit with a specific department in an organisation, whether that’s IT, compliance, legal or risk, but is the same function automatically responsible for cybersecurity training? The answer is not clear in many businesses, and this confusion over who takes responsibility may be adding to the problems with training. A common scenario is that an expert in cybersecurity takes the lead on training—they are masters of the subject, after all. However, where a Subject Matter Expert works with a learning expert (either the internal L&D team or an external learning provider), training is likely to be more effective and engaging.
6. Hackers Won’t Stop
Cybercrime is getting worse, and there’s no sign that the hackers are giving up any time soon. Recent figures from the UK’s Financial Conduct Authority provide an illuminating snapshot of the situation in the financial services sector; in 2018, banks and other financial institutions saw a 1000% rise in reported cyberattacks [2]. Meanwhile, mail and phishing messages are now the primary route of cyber infection in Europe (ENISA). It’s even been called a "cyber epidemic" with cybercrime now the fastest growing crime in the US, with businesses predicted to lose around $6 trillion annually through cybercrime by 2021 (Cybersecurity Ventures) [3].
7. Penalties Just Got Serious
Recent announcements in the UK by the information commissioner are refocusing minds, once again, on what’s at stake when a cyber breach takes place. Elizabeth Denham has announced her intention to fine Marriott International more than £99 million and British Airways over £183 million for breaches of data protection law, both related to a cyber incident (ICO). These are among the first examples of the greatly increased penalties available to the Commissioner (and other European regulators) under the new legislation. Such tough penalties are likely to renew the debate around whether enough is being done to train employees in both GDPR and cybersecurity.
Given the escalating threat, it’s time to review cybersecurity training to check it’s up to the task. As learning experts in the organisation, L&D is uniquely placed to ensure that employees are given the best possible chance of improving their knowledge and confidence to reduce risk and protect the business from the inside out.
References:
[1] Cyber Security Breaches Survey 2019 (https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/813599/Cyber_Security_Breaches_Survey_2019_-_Main_Report.pdf)
[2] Cyber-incident reports from UK finance sector spiked by 1,000% in 2018
[3] 2019 Official Annual Cybercrime Report (https://www.herjavecgroup.com/wp-content/uploads/2018/12/CV-HG-2019-Official-Annual-Cybercrime-Report.pdf)
