Training

Awareness survey

by Mark Rowe

Cyber security awareness learning provided by most UK businesses is not ‘fit for purpose’ and is limiting employees’ ability to understand what good cyber behaviours look like. That’s according to research from standards body AXELOS.

The approach also does little to create, embed and sustain the behaviour change required in organisations to respond better to cyber attacks. While 82 per cent of organisations are using traditional, computer-based training and e-learning, less than a third are deploying some of the latest learning techniques that offer more immersive and engaging learning for staff.

The research commissioned by AXELOS and done by Ipsos MORI shows that three information security learning methods dominate more than half of UK workplaces: computer-based training/e-learning, face-to-face and video instruction. Fewer than half (46 per cent) of executives responsible for information security training in UK organisations with more than 500 employees provide information security awareness training beyond new staff induction or annual, e-learning refresher courses.

Nick Wilding, head of cyber resilience best practice at AXELOS, said: ‘Organisations are still trusting in their annual, cyber awareness e-learning. To expect this approach to influence resilient behaviours is unrealistic. Typically, this one-off course – required once, designed once, delivered once and completed once – is also forgotten at once.

‘It risks leaving staff ill-prepared and unaware of the practical things they can do more effectively to manage the daily risks they face. We need a new approach: just as technical controls will evolve and adapt in response to changing threats and vulnerabilities so we need to ensure all our people receive practical and engaging advice and refresher learning on a regular basis throughout the year.’

Wilding said that despite the almost universal belief (99 per cent) among senior managers that information security awareness training is important to minimising cyber security breaches, less than half that number (47 per cent) are tailoring the learning to the jobs their people do. This is despite nearly two-thirds (63 per cent) highlighting the importance of cyber security in minimising human error in their organisation.

He added: ‘One size simply doesn’t fit all in this critical area of staff development and neither does it support an organisation’s investment in protecting its corporate reputation and competitive advantage.’

The research also asked executives to identify what they thought were the greatest sources of risk for an information security breach. They said:

49 per cent: intentional attack by external hackers, criminals, terrorists or activists
45 per cent: unintentional error by employees or contractors
40 per cent: intentional attacks by employees or contractors
17 per cent: third party suppliers or joint venture partners as a route exploited by cyber criminals.

Nick Wilding said: ‘Organisations are underestimating the human factor risk, the vast majority of which relates to the honest and unwitting actions of an individual rather than malicious attack. An organisation’s people represent the greatest defence against cyber-crime but all too often they are its greatest vulnerability. And yet, as the latest insight from PwC’s The Global State of Information Security Survey 2016 shows, fewer than a quarter (23.69 per cent) of CISOs, CSOs or other senior information security executives are advocates for employee security training and awareness programmes.’

AXELOS has produced a downloadable guide: https://www.axelos.com/Corporate/media/Files/cyber-awareness.pdf.

Comment

Rohyt Belani, CEO and co-founder of PhishMe, said: “The breaches and malware infections experienced by organisations on an alarming scale is testament that organisations are failing to harness the power of their strongest defence – employees. While AXELOS’ study highlights a key problem with the current approach, training alone is not the answer. Standard online training modules can actually disengage employees from the issue you’re trying to resolve because they are typically boring and out of context, allowing employees to ignore or quickly click through without engaging with the security content being offered. Great for checking a compliance requirement, but completely ineffective in changing behaviour.

“Instead, companies need to condition their staff’s behaviour and engage and empower them to be part of the solution. Immersive programs are key to providing instant learning opportunities and real-world examples provide the needed experience around threats to avoid. Getting a human eye on the frontline of an organisation’s overall security strategy provides the highest fidelity intelligence possible – after all modern scams are devised by people, so it takes problem-solving brains like those of the workforce to spot them.

“With a behavioural conditioning program, organisations can check staff’s awareness by simulating attacks, congratulating success and provide follow- up materials for those found vulnerable. This reinforcement, provided at the point of susceptibility, will be far more memorable than a click-through training session or booklet received out of context. By conditioning employees to act as human sensors will greatly reduce the organisation’s attack surface.”

About the research

By Ipsos MORI on behalf of AXELOS using an online panel of business executives who have agreed to take part in research surveys. Fieldwork conducted between January 5 and 14 ,2016 with 100 business executives with responsibility for information security awareness training. Participants work with 500-plus employees.

Related News

  • Training

    Infosec manual

    by msecadm4921

    Information security has evolved from a tactical IT concern to a boardroom-level dilemma. This transition has challenged many executives who are now…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing