Half Of Employees Don’t Report Security Mistakes

Uploaded on 2024-07-11 in NEWS-Cybersecurity News, FREE TO VIEW

Despite the increased adoption of security awareness training, new research reveals that more than half of cyber security professionals share concerns over security behaviours. 

Respondents to a recent ThinkCyber Security survey, which revealed the attitudes towards security awareness training, were asked what security behaviours caused the most concern at their organisation.

The study also showed that a quarter of cybersecurity professionals doubt their colleagues do change their behaviour with current security awareness training, 

Furthermore, 60% of respondents admitted they only get training once every few months or even just once a year.

The top results for risky behaviour were:

  • Clicking on links in emails (53%)
  • Sharing corporate data outside of the business (53%)
  • Sharing of usernames and passwords (51%)

As threats grow more sophisticated and frequent, it’s essential to provide regular and consistent training to stay effective. If training doesn’t keep up with the latest threats, organisations will be left vulnerable and stuck in the past.

According to Tim Ward, CEO at ThinkCyber "Security awareness training is most effectively delivered in the moment when it can be directly contextualised by the recipient. This approach not only enhances comprehension by linking awareness to an immediate and relevant situation but also serves as a proactive nudge towards safe behaviour.”  

“By intervening at the precise moment when a risky action is about to be taken, individuals are more likely to understand the specific dangers and consequences associated with their actions. This timely intervention ensures that the lesson is not abstract or theoretical but grounded in a real-world context, making it more impactful...

“Therefore, the individual is informed about potential risks and guided towards making safer choices before any harm can occur, significantly mitigating the chances of a security breach or incident."

Organisations must also measure and track the progress of their security awareness programmes to determine effectiveness and make changes where necessary. When respondents were asked whether the business had a way to identify the user groups who are carrying out these behaviours, almost half (49%) said that they did not for all behaviours causing concern.

Other Findings from the Survey Included:

  • 42% of respondents felt that their organisation could not even somewhat prove whether their current security awareness training is changing risky behaviours. For those who felt that their business could somewhat prove a change in risky behaviours. Further research would be required to determine if this comes in the form of phishing test click rates which can be highly variable.
  • Half of respondents said that they would not feel free from repercussions if they reported a mistake within their organisation.
  • When asked whether they felt like security awareness training is a priority shared across the business, 51% said they thought most people across the business were focused on security, whereas 39% said they felt only the executives and security teams were focused on it.

When so many security experts thinks that their organisation's security awareness training isn't cutting it, it’s a clear indication that it’s time to re-evaluate.

“Cyber security should be a concern for everyone, so pinpointing which user groups need extra help with safe practices is crucial for any business... A training programme that’s flexible and enjoyable can make all the difference, boosting staff engagement and giving cyber professionals greater confidence in their team’s ability to make smart security decisions.” Ward says.

Top 3 ways to make Security Awareness Training work:  

  • Deliver ongoing training– Annual training isn’t enough. Security awareness training should be provided to employees on a regular basis. This will help to maintain awareness, keep employees up to date with the latest cybersecurity threats.
  • Drip-feed content – When respondents were asked how they like to receive security awareness training, 70% said they want to keep their knowledge fresh, and that little and often works for them. Delivering the content of your security awareness programme in small, bite-size segments, not only helps to maximise engagement level amongst staff but also helps to reinforce ongoing awareness and learning outcomes. 
  • Measure engagement levels and progress – Measure behavioural impact as well as engagement - measuring engagement levels offers a leading indicator of progress, but behavioural impact shows the effectiveness of the programme in reducing risk as well as highlighting user groups that display risky behaviour.

Think Cyber    |   Think Cyber

Image: Mike Hindle

You Might Also Read: 

Protecting Data In The Remote Working Era:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Chinese Hackers Exploit Cisco Vulnerability To Deliver Malware
Breach Exposes Millions Of Mobile Numbers To Phishing Attacks »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

BMC Software

BMC Software

BMC provide solutions for IT service management, Cloud management, IT workload automation, IT operations, and mainframe system management.

LogmeOnce

LogmeOnce

LogmeOnce provides users with solution to multiple Password problems, Single Sign-On (SSO), and Identity Management.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYBER 1

CYBER 1

CYBER 1 provides cyber security solutions to customers wanting to be resilient against new and existing threats.

Celare

Celare

Celare delivers DPI based network perimeter monitoring solutions with integrated Big Data security analytics and threat detection.

Center for Research on Scientific & Technical Information (CERIST)

Center for Research on Scientific & Technical Information (CERIST)

CERIST is a scientific and technical research centre with activities focused in the area of networks, information systems and IT security.

Rule4

Rule4

Rule4 is a global professional services firm that provides practical, real-world knowledge and solutions in areas including cybersecurity, AI, Machine Learning and industrial control systems.

Network Center Inc (NCI)

Network Center Inc (NCI)

NCI is one of the largest IT solution providers in the Midwest. We specialize in industry specific technology solutions, service, support, and expertise for small to enterprise businesses.

Data Storage Corp (DSC)

Data Storage Corp (DSC)

Data Storage Corporation is a provider of data recovery and business continuity services that help organizations protect their data, minimize downtime and recover and restore data.

BullWall

BullWall

BullWall is a digital innovator dedicated to fight cybercrime in its many forms. Our overarching purpose is to stop new and unknown strings of ransomware attacks in its tracks.

Profian

Profian

Profian’s hardware-based solutions maintain your data's confidentiality and integrity in use, providing true confidential computing to meet regulatory and audit requirements.

Private Client Cyber Security (PCCS)

Private Client Cyber Security (PCCS)

PCCS provides enterprise-grade cybersecurity consulting and services to professional practices, executives, athletes, and high net worth families.

Telesystem

Telesystem

Telesystem empowers businesses across the USA with a range of innovative network, communication and collaboration solutions.

Capgemini

Capgemini

Capgemini is one of the world's foremost providers of consulting, technology and outsourcing services. Areas of expertise include Cybersecurity.

TAFEcyber

TAFEcyber

TAFEcyber is an Australian based consortium focusing on the skilling of the fast-growing cyber security workforce through education and training.

Dotsquares

Dotsquares

Dotsquares leverage the latest web and mobile technologies to build, grow and support your business.

ELK Analytics

ELK Analytics

ELK Analytics is a specialized Managed Security Services Provider (MSSP) that focuses on endpoint security and monitoring & alerting for any type of structured or unstructured data.