Mimecast has recently released the results of a survey on employee security awareness training in businesses. The results show that in many organisations, employees are lacking even basic cybersecurity awareness.
Mimecast, a company specialising in cloud-based email management, conducted the survey to ascertain workplace awareness of cybersecurity issues. The results show that many business are not providing adequate training to their employees on the risks of improper cybersecurity practices.
Many organisations have invested huge amounts of money ensuring that they have a robust security framework. Cyberattacks such as hacking or phishing have garnered a great deal of attention recently, and companies are becoming more aware that the correct technical safeguards are necessary in order to prevent against a catastrophic cyberattack.
However, an organisation may have top-notch security framework, but still be susceptible to cyberattacks due to lack of employee awareness surrounding potentially risky activities. A cybercriminal only needs to fool one individual through a phishing attack to then gain access to the organisation-wide network. Therefore, a thorough and comprehensive employee training program is equally as vital as a good security framework to ensure that an organisation is capable of defending itself against a cyberattack.
Despite the evident importance of such training programs, businesses often fail to provide them. Mimecast’s report shows that only 45% of organizations provide employees with formal security awareness training that is mandatory for all employees. A further 10% of organizations have training programs available, but they are only optional.
There is not only a question of whether or not training is provided, but of the frequency and content of the training. Many professional security organisations recommended regular refresher courses on how to deal with cybersecurity threats. These courses should be thorough, interactive, and engaging, in order to instil in employees the importance of the program.
The Mimecast report shows that organisations are not taking this advice and incorporating it into their protocols. Only 6% of organizations provide monthly training and 4% do so quarterly. So just 10% of the 45% are providing training frequently and are adhering to acceptable industry standards for security. Only 9% of the 45% only provide security awareness training when an employee joins the organization.
Mimecast has also found that organisations are failing to ensure that their program, if provided, is thorough. Approximately 33% of organisations provide printed lists of cybersecurity tips or email tips even though many employees will simply ignore those messages and handouts.
About 30% of organisations issue prompts about potentially unsafe links, yet little is done to stop employees actually clicking those links. Employers are instead relying on their employees to know what to do and to take care, even though formal cybersecurity training is often lacking and they lack the appropriate skills. Only 28% are using interactive training videos that engage users.
These security awareness training statistics show that businesses clearly need to do more. As Mimecast suggests, effective security awareness training means making training mandatory. Training must also be a continuous process, to ensure that employees are not only practiced in how to deal with these threats, but understand the importance of these practices.
Considering a huge proportion of data breaches can be attributed to phishing attempts, it is in the best interests of organisations and the people they serve that cybersecurity training should be taken more seriously.