Are We Ready to Give Up on Security Awareness Training?

Some of you have already started budgeting for 2024 and allocating funds to security areas within your organization. It is safe to say that employee security awareness training is one of the expenditure items, too. However, its effectiveness is an open question with people still engaging in insecure behaviors at the workplace. Besides, social engineering remains one of the most prevalent attacks, followed by a successful data breach. Microsoft found that a popular form of video-based training reduces phish-clicking behavior by about 3%, at best. This number has been stable over the years, says Microsoft, while phishing attacks are increasing yearly.

Regardless, organizations have faith in training and tend to increase their security investments in employee training after attacks. It comes second in the priority list for 51% of organizations, right after incident response planning and testing, according to the IBM Security “Cost of the Data Breach Report 2023”.

So, what about security awareness training keeps us from giving up on it? We looked at surveys, talked to IT security engineers, and discussed training content with the creators of a new cybersecurity course.

People want to learn, but they don’t have time

Low efficiency of training can no longer be justified by the lack of interest from employees. A staggering 64% of those surveyed by CybSafe research asked for allocated time to fit security awareness sessions into their working schedule. On top of it, 43% of employees found engagement and interactivity to be more compelling stimuli than financial rewards, expressing a need for dynamic and practical experiences. As CybSafe puts it, “This points to a workforce that values the integration of training into their routine over extrinsic rewards.”

Time is the most crucial resource that comes in the way of cybersecurity learning. Employees are often expected to meet delivery terms in short periods of time. In a fast-paced work environment, skipping long training and completing daily tasks to meet KPI is simply easier.

But there are cybersecurity professionals who are set to adapt to the current way of work and short attention span. Cybersecuritoons is a cybersecurity course designed to provide security fundamentals in just 1 minute and 30 seconds. Instead of usual lengthy videos and presentations, Cybersecuritoons covers four major topics in 4 short cartoons: passwords, phishing, remote work, and malware. Overall, the whole course takes 6 minutes.

The creators of Cybersecuritoons are a team of experts at Moonlock, a cybersecurity division at a software development company – MacPaw. “The mission of Moonlock is to make cybersecurity accessible to everyone,” says Oleg Stukalenko, Lead Product Manager at Moonlock. “First, we integrated our own antimalware tech, Moonlock Engine, into one of the most popular macOS cleaners on the App Store – CleanMyMac X. It has one big button that solves all system problems, including the removal of malware. Now, we launch a fun and short cybersecurity course available to anyone on YouTube.”

Moonlock is hitting the nail by choosing short-form content. Content creators can’t count on undivided attention from people anymore, and this, too, applies to cybersecurity content. With busy work schedules, bite-sized training followed by relevant practice and interactive sessions is a preferable and more effective way to brush up on cybersecurity knowledge.

Human solution for human errors

Stress, pressure to meet deadlines, and burnout are why humans make mistakes and engage with social engineering hacks. When Tessian surveyed workers for the “Psychology of Human Error” report, 50% of respondents said they were under pressure because of the lack of time when they sent the wrong email to the wrong person or with the wrong attachment.

Security departments might install the most advanced tech in several lines of defense, but only one click made by a human can make all tools and firewalls redundant. In any of its shapes, awareness training is a gentle reminder of a daily routine that might save our organizations from millions of dollars in financial and reputational loss. IBM Security says there was a difference of USD 1.5 million, or 33.9%, in data breach cost between companies with high and low adoption of security awareness training in the workplace.

The reality is that we must teach employees to be better gatekeepers of corporate security tech. Together we have the tools to create the human dimension of resilience against cyberattacks and directly impact the formation of security-by-design processes within our organizations. Statistics mercilessly show that most attacks can be thwarted by adhering to minimum security practices. That’s why we’ll see more content like Cybersecuritoons in the nearest future: short, designed for different levels of security expertise, and accessible. In fact, the market of cybersecurity training is expected to reach $10 billion by 2026. That’s a long way from around $1 billion in annual revenue in 2014.

How feedback transforms awareness training

As with any human-centric approach, building a human firewall should consider the fact that humans are different. This puts security teams in a position to review their strategy for security awareness training continuously. They shift the perspective from formal education to equipping their colleagues with tools to help security professionals in case of a cyberattack.

At MacPaw, a software development company and home to Moonlock and Cybersecuritoons, there’s a strong belief that the organization’s security lies with the entire team. Artem Bovtiukh, MacPaw’s IT Security Engineer, says that even though the primary goal of the regular awareness training is to remind the fundamentals of security hygiene, the most important is to cultivate a feedback security culture in the company. “The efficiency of training is seen through our internal audits. But the most valuable outcome is how our colleagues pay attention to suspicious events and report them to us”, says Artem.

Feedback also helps the security team shape the delivery of training. Artem points out that everyone can come to them with questions, suspicions, and opinions about day-to-day cybersecurity matters. All of them will be considered during the content composition at the following employee training. “Our experience shows that the best incentive to complete security sessions doesn’t rest with the time of completion or the mere fact of completion,” shares Anastasia Hutorova, Learning and Development Specialist at MacPaw. “We are transparent about training goals, the impacts of it, how it aligns with business goals or/and the company’s OKRs, and what role it plays in the professional development of our colleagues.”

MacPaw encourages all teams to take days off to go through security awareness materials. According to the policy, there are dedicated days for education that all team members can use to focus on getting new knowledge, cybersecurity knowledge included. Circling back to the lack of time as the primary reason employees skip training or indulge in insecure behaviors at work, the idea of allocating dedicated time sounds more than reasonable.