
5 Common Pitfalls of Security Awareness Training
Employee negligence. It’s considered the greatest weakness in cybersecurity, and there is plenty of research suggesting as much. Take, for instance, this study conducted by Tessin and Standford University, which found that 88% of data breach incidents are caused by employee mistakes.
What gives? Why are so many employees making security mistakes?
Here’s where we’re going to flip the script a bit. Can we really say that employee negligence and simple human error are the biggest and most fundamental problems in cybersecurity? Or, when we look a little closer, will we see that these are merely symptoms of a deeper issue – inadequate security awareness training? From phishing attempts to the complexities of social engineering, the current threat landscape is teeming with risks. If someone’s training isn’t up to snuff, can you really blame them for the occasional error in judgment?
Failure in training leads to negligence, which leads to security issues. Any organization looking to shore up its cybersecurity needs to implement training designed to mitigate modern cyber risks in an engaging and meaningful way.
To get a clearer idea of what security awareness training (SAT) should look like, let’s consider some ways it can fail – and how to avoid or correct for each potential shortcoming.
Consistently Lacking
Thought experiment – do you remember what your coworker wore on this day last week?
Probably not – and that’s fine; it’s human nature to forget. A 2020 study by USENIX found that employees had, just six months after receiving relevant training, a hard time spotting phishing emails. If you can’t remember what shirt your coworker wore last week, how can you expect your employees to retain everything about cybersecurity crammed into a one-hour slideshow?
So, how do we remember? If you’ve studied for even a single test or quiz in your life, you’ll know the answer – repetition.
Scheduling monthly security training has proven to significantly impact security awareness, reducing an employee’s susceptibility to phishing attacks by up to 60% within the first 12 months. Every company’s schedule will vary, but sticking to a similar pattern is vital. Luckily, many companies have already taken this to heart, with around 61% choosing to train their employees at least once or twice per month since 2020.
If you’re part of the 39% not training monthly, we urge you to get those training programs in place.
Outdated Information
There’s more to a solid SAT program than just repetition. Keeping on top of cybersecurity means keeping pace with new cyber threats. This is no easy task. When faced with the nefarious ingenuity of cybercriminals, you have to constantly adapt your security methods. What you do to protect yourself today may no longer work tomorrow. Your SAT program must reflect that.
Don’t settle for a simple boilerplate security program. We understand that gaining specialized, in-depth, and up-to-date knowledge of the threat landscape is a herculean task for many small and medium-sized businesses. For this reason, you may consider partnering with a Managed Service Provider (MSP) who can secure you with a robust SAT program that adapts to these ever-changing threats.
One Size (Doesn’t) Fit All
Each employee carries unique risk factors; a receptionist isn’t going to have access to the same information that an accountant does, and an intern won’t have the same authorization as the CEO. Your SAT should reflect this. When people are informed about things unrelated to their position, they’re going to tune out. And if they tune out, they may miss the information pertinent to their role. To address this, a SAT program should be customized for each role, condensing and distilling information to keep things relevant to each employee.
Compliance Reliance
Regulatory compliance is important, to be sure. That said, SAT programs tend to focus exclusively on checking those compliance boxes and getting their employees back to work. Bad idea. Remember, compliance does not equal security! Compliance contributes to security in significant ways, yes, but it’s only a piece of the puzzle. A SAT program designed only to satisfy regulatory compliance will not properly ready employees for the wide array cyber threats they may face. So, when developing a program for your team, keep this front of mind: the overarching purpose of SAT is nurturing a security-aware work culture. Without a robust culture, all the fancy security tools in the world won’t keep the hackers at bay.
It’s Just Plain Boring
Let’s be honest, most of your team isn’t going to be excited about the prospect of security training – OK, maybe no one will be excited. Most will see the list of modules and think, Ughhh, how long is this going to take? But just because the topic isn’t the most riveting doesn’t mean it needs to be delivered like an outdated textbook. Take a look at the following recommendations to help spice up your training, if only by a little bit.
Provide Engaging Micro-Videos
What sounds more interesting – a slew of slides, or a short video? If you said slides, you’re lying. Micro-videos are a great way to deliver bite-sized modules to your employees. According to a Dresden University study, “microlearning” leads to 20% better retention and 22% faster completion. These shorter runtimes allow employees to easily slot training into their busy schedule while holding their attention.
Push User Interactivity
As great as short videos can be, you can only hold someone’s attention for so long. Interactive, reward-based tasks that employ gamification can provide a much more satisfying learning experience than more passive alternatives. An employee is much more likely to remember information they interact
with through these gamified tasks. You could provide a series of fake malicious emails, each one more difficult than the last, or you could provide a public leaderboard that displays each employee’s security awareness score. The options are practically endless, so get creative and make it fun!
Phishing Simulations
Phishing is a massive issue. According to the 2024 Egress Email Security Risk Report, 94% of organizations have experienced phishing attacks. And if you need any more proof, take a look at our breakdown of why phishing is so effective. Providing phishing simulations will prepare employees for the real deal. These simulations have proved extremely useful, with user susceptibility dramatically dropping after repeated phishing simulation tests.
It’s important to provide these simulations with a gentle hand. No one likes being tricked, so make sure your employees don’t feel like the butt of the joke for failing to recognize the phishing email. Phishing can happen to anyone at any time. Simulations should be used to show that, and not to single anyone out.
Your SAT – New & Improved
You can’t expect your employees to internalize everything about cybersecurity after one training course, and you can’t expect an information-crammed video to provide everything your employees will ever need to know about security. Security awareness is an ongoing process that requires consistent, engaging training. Yes, employees can create vulnerabilities, but security-aware employees will create significantly fewer. Take a critical look at your security program and ask yourself the following:
- Does my program cover modern threats?
- Do I provide training regularly (at least once every month)?
- Does my program satisfy the specific needs of my employees?
- Does my program go beyond satisfying compliance requirements?
- Is my program engaging enough to hold my employees’ attention?
If you answered no to any of these, maybe it’s time you look into strengthening your SAT program and turn any potential employee negligence into rock-solid vigilance.
Get Some Help
Need help crafting your perfect security awareness training program? The 20 MSP has developed and implemented hundreds of security awareness programs for clients of all sizes and industries. We can help transform your employees into a security-aware dream team!
Schedule your call today to learn more.