When it comes to today’s security challenges, the statistics are alarming.
Nearly 7,000 corporate data breaches were reported between 2016 and 2020, with the number rising on average each year. Making matters worse, companies didn’t detect 41 percent of these breaches. And it’s not just big companies getting hit—a whopping 88 percent of small-business owners feel they’re not sufficiently protected against cyberattacks.
Part of the problem is attackers leverage increasingly sophisticated types of attacks, even as organizations gather and rely on a growing volume of data.
However, a key factor involves people themselves. No matter how much innovative cybersecurity technology and expertise organizations are throwing at the problem, employees remain vulnerable to phishing, social engineering, and other attacks aimed at stealing passwords and user credentials.
While security tools can help reduce these threats, data can’t ultimately stay safe unless all employees learn how to recognize when they’re the target of an attack and know what to do—and what not to do—when they happen. They need to continually stay updated on new types of threats and can’t afford to forget the precautions they’ve already learned.
For this reason, most organizations provide security awareness education to employees. But given how often hackers continue bypassing security controls, it’s clear there’s a huge need for improvement. With that in mind, here are some of the biggest challenges for security-awareness programs—and how to solve them.
Today’s Biggest Security Awareness Program Challenges
Challenge #1: Security Awareness Content Becomes Outdated Fast
Cybersecurity threats constantly evolve, so what companies do to protect themselves today may not stand up to threats that emerge tomorrow. That means employee security awareness programs can quickly become outdated and obsolete—failing to educate employees about the current threats and how to recognize them.
While many security principles are timeless and foundational, employees must also stay informed on the most recent events and techniques. As a result, courses offered annually have no way of keeping up.
Programs can’t be one-and-done. They must be ongoing, dynamic courses and tools that continually incorporate new material based on evolving threats, and provide effective instruction using the latest training techniques.
Since annual training quickly becomes obsolete, companies must keep their employees’ knowledge sharp through ongoing education. To ensure their effectiveness, programs should seamlessly integrate into the routines and schedules of employees. Cybercriminals don’t wait a year before updating their skills. Neither should employees.
Challenge #2: Programs are a Burden on Administrators
Security awareness programs can be a lot of work for administrators. At minimum, the administrator is responsible for selecting and assigning courses, following up with users, and dealing with related chores such as resetting passwords.
In some cases, the administrator is also responsible for creating and curating content, an extremely labor-intensive process. As a result, overburdened administrators can frequently become overburdened by the manual process of running a security awareness training tool.
Use a security awareness program that’s fully managed, such as RH-ISAC’s upcoming Security Awareness Symposium. Managed programs remove the legwork of creating, assigning, and delivering an ongoing awareness curriculum. Not only does a managed program free up the administrator to focus on other important tasks, it also ensures the security awareness content is kept up to date, complete, and of high quality.
Challenge #3: Low Employee Participation
It’s always difficult to achieve 100-percent employee participation, but it doesn’t help that many security awareness solutions seem almost designed to discourage participation. Keep in mind that the harder it is for users to access lessons, the less likely they are to complete it.
For programs that require ongoing learning, as all programs should, employees typically need to log in between one and four times a month to complete their training. Additional friction comes when employees are required to physically go to a specific location at specific times.
Content that varies in length from session to session frustrates employees, since they don’t know what to expect or how much time they need to budget. For busy employees, their frustration risks getting to a point where they come to resent the program and simply avoid it.
Remove resistance from program participation wherever possible. Instead of requiring attendance at particular times or particular places, make the course content as convenient as possible, weaving it into employees’ daily routines rather than making it a burdensome addition. Establish a short, consistent content length so employees never dread being stuck in a session when they’re eager to get back to their work.
Challenge #4: Employees Lose Interest
Security awareness content needs to stay engaging and focused. Unfortunately, many programs use training content that’s repetitive, uninteresting or try to include way too much information or cover way too many topics in one session. Employees shouldn’t have to deal with training sessions that are painfully slow or miss the mark on sharing content in an effective style for the modern adult learner.
It doesn’t take a behavioral expert to know that someone who finds a course ineffective at teaching them why they need to know the information will find ways to avoid participating—or, alternatively, tune out and avoid putting in the effort required to absorb the material.
Select a program that offers fresh, relevant, and stimulating content. Enlist well-established training techniques such as interactivity, clarity, relevance, and a judicious use of video to be both informative and engaging . Don’t ask employees to sit through the same session they sat through six months ago as a refresher; instead offer new content that builds on prior material with a new perspective.
Some programs successfully integrate gamification principles to make the material more engaging. Every boost in the material’s ability to hold employees’ interest will also bump up participation and increase content understanding.
Challenge #5: Employees Forget What They’ve Learned
Scientists have known for more than a century that when asked to learn new material, learners will forget up to 70 percent more than 80% of what they’ve learned in less than a month. of it within a day. A security awareness course offered once a year means employees forget what they learned months before, leaving the organization vulnerable
Programs with ongoing sessions do better in helping employees retain security knowledge—but these sessions must also be relevant and engaging or employees won’t pick up on the importance of the lessons.
Introduce microlearning, which strategically breaks content into frequent, engaging, lessons of three minutes or less.
Refreshing a learner’s memory soon after first being exposed to new material is the key to retention, and microlearning is designed to be efficient and effective at doing so. Since lessons are short, microlearning also requires the content to be relevant and focused on one key concept and as a result more effective for the viewer to retain the intended lesson.
Challenge #6: The Program Doesn’t Actually Help Stop Breaches
Many security awareness programs have little to no effect on the actual prevention of incidents and breaches. After an organization experiences a breach, it may claim that it has undertaken the required “reasonable effort” to train employees, but while that effort may be enough to satisfy regulators, the organization’s customers, shareholders and partners, as well as the public, care little if the training doesn’t prevent hackers from wreaking havoc.
Regulatory compliance is important, but it’s the wrong metric to focus on when implementing a program. Security awareness efforts should be judged on measurable reductions in intrusions, breaches, and damage.
Only when programs become results-oriented do organizations develop a culture of security. They should be specifically designed to build that culture, and help ensure all employees participate, learn, remember, and routinely apply the learned material. The goal isn’t to check a box—it’s to reduce risk.
What to do now?
Looking for a program that will fulfill your organization’s security awareness training requirements, while providing good quality information that will actually reduce risky employee behavior? Arctic Wolf is sponsoring RH-ISAC’s Security Awareness Symposium, October 26! This online event features sessions on commonly encountered threats such as phishing scams and unsafe remote work, plus an interactive afternoon exercise provides participants with a real-world example of the impact of their cyber behavior. Learn more and register now!