Insufficient Security Training and the Impact of Doing it Poorly

A business with little to no security posture is as good as a closed down business.

You may get a false sense of security by having several monitoring tools and the latest security gadgets. However, if you fail to address one of the primary security challenges—'The Human Factor'—then all your investments could be rendered futile.

We’ll look here at the impact of poor security training and how to remedy it.

A good security professional would include regular training and awareness packages for their staff. But is your business doing enough? Are you just ticking a box? Are your policies being a roadblock for staff and are you considering their needs?

Some common factors that often render security training poor are:

• Incomplete and/or inadequate training.

• Not measuring training effectiveness.

• One size fits all approach.

• Out of date material.

• Poor initiative and involvement by Senior Management Team.

• Over emphasis on compliance.

CONSEQUENCES OF POOR SECURITY TRAINING:

Inadequate security training can be more detrimental than none at all, resulting in wasted resources. As the saying goes; a little knowledge can be a dangerous thing.

The most obvious consequences of poor security training for a business include financial loss, damage to reputation, and legal implications.

According to IBM’s Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was USD 4.45 million, marking a 15% increase over the past three years.

Often, staff members fail to recognise phishing emails and inadvertently click on malicious links, resulting in data breaches. Since 2020, numerous organisations have fallen victim to phishing attacks, with remote workers being the primary targets. 44% of organisations reported experiencing a data breach due to untrained staff in a 2023 survey. A 2022 survey shows that 83% of organisations experienced phishing attacks, with the highest click rates coming from remote workers.

Your staff are the first line of defence of your organisation’s security. When left unprepared and lacking in security awareness, they can inadvertently become the weakest link, leaving your organisation exposed to potentially devastating attacks.

This can also risk driving talent away from your organisation. This happens because inadequate security training demonstrates a concerning lack of commitment from management. It jeopardises the protection of sensitive employee data and exposes the organisation to unacceptable risks.

TIPS FOR EFFECTIVELY CONDUCTING TRAINING AND AWARENESS:

There is no single formula for effective security training and awareness programs. Security professionals must understand their organisation's security culture and identify gaps in training. Ask yourself - does your security training program work for your people?

Tips and resources are available on the NCSC website, and consultancy services can also be explored (we offer them! See here for more information.)

You can also consider the following tips to cultivate an impactful security training program:

• Listen to your staff – Listen to what your staff have to say about your security policies; they’re only effective if they’re practical and user-friendly. Security rules that are overly restrictive, cumbersome, or disruptive will likely be bypassed or ignored. Restrictive rules and policies often make way for shadow IT. It's important to get input from staff during the policy creation process and ensure the policies balance security with enabling them to be productive.

• Be transparent and communicate – This is crucial to gaining their buy-in and compliance. Have open and transparent conversations with your staff about security rules, policies, and the potential risks involved.

• Provide real world examples – Instead of just stating the rules, share real-world examples of security incidents that have occurred in similar organisations due to non-compliance. Concrete examples demonstrate the severe consequences of security lapses and why stringent policies are necessary.

• Conduct regular surveys – Regularly surveying staff and implementing their suggested improvements creates a positive feedback loop. This helps ensure your security program remains practical, understood, and has strong buy-in across the organisation.

• Create hands-on activities - The training shouldn't just be presentations and videos. Include interactive activities based on their roles. For instance, code review exercises for developers to spot vulnerabilities, simulated incident response, system hardening etc. for the SOC and IT team, cyber risk analysis and planning discussions for the management team, etc. The hands-on activities reinforce the training in a practical way.

• Invest in comprehensive training programs – Covering a wide range of relevant topics is crucial for building a strong security-aware culture within the organisation. Examples of some key topics include phishing and social engineering, password hygiene, physical security, data protection, and safe browsing.

START BY UNDERSTANDING YOUR RISK:

In today's landscape of increasing cyber threats, security awareness training is an essential investment, not an option. By prioritising continuous, and relevant training, organisations empower their workforce to make security a daily priority and avoid the devastating impacts of incidents. Protecting your organisation begins with arming your employees with the knowledge to identify and mitigate risks.

If you’re looking for support in securing your business, drop Sam Sorrell (sam.sorrell@cyro.uk) a line.

Cyro Cyber are your guardians in the long term, strategic defence, and ongoing implementation of cyber security counter measures, ranging from Governance, Risk and Compliance, Offensive Security Testing, Security Architecture, cyber security services and consulting.

We are with you - from the boardroom to the command line, every step of the way.

________________________________________________________________________________________________________________________________________

Author: Dr Arathy Jose, Information Security Consultant, Cyro Cyber

Cyro's decades of combined experience can help understand and implement and test the necessary controls to satisfy the regulators whilst improving the end goal of protecting your data to avoid the potential impact of breach costing in fines and reputational damage.