As the attack surface expands and cyber threats continue to evolve, most organizations make security awareness training a key part of their cybersecurity programs. Especially now with growing evidence that social engineering tactics reap big rewards for bad actors and cataclysmic outcomes for enterprises of every size. To wit, Verizon's 2021 Data Breach Investigations Report notes that 85 percent of all data breaches involve some form of human interaction.
However, implementing a security awareness program is one thing; ensuring its effectiveness is another. Despite your organization's best intentions, you may fall into the common traps that doom many businesses and let all your efforts go for naught. So, avoid the five following pitfalls, which are tried-and-true recipe for sabotaging security efforts in even the best firms:
1. Infrequent Training
Employees retain knowledge for only so long. Without frequent re-engagement they'll forget what they learn and remain your company's biggest vulnerability to cyber-attacks despite the awareness training you've initiated.
The German psychologist and researcher Herman Ebbinghaus developed the Forgetting Curve, which determined that people forget 80 percent of new learning within four weeks unless they are frequently reengaged. With that in mind, it should come as a shock that a recent study my company commissioned revealed only 8 percent of security decision-makers surveyed said their organizations conduct training more than once a month. As a result, nine out of 10 companies are more susceptible to the exploits of bad actors than they should be.
2. A Drink-From-the Firehose Approach
Remember, your employees are undertaking an essential course in keeping your organization protected. However, if they are bombarded with more content than legal clerks receive for a Supreme Court case, they'll succumb to "information overload" and won't be able to retain much, if any, of the lessons they learn.
This type of approach to security awareness inevitably leads to employee selectivity insofar as where they direct their undivided attention. When a threat crosses the digital transom and lands in their inbox, will they respond appropriately? Well, because they weren't always attentive during the security awareness training, the odds might not be in your favor.
3. Shaming Learners
In cybersecurity, the adage "people are your weakest link" has a ring of truth, but it's through no fault of their own. When companies shame rather than teach their employees, they are basically plotting for their awareness program to fail rather than succeed.
Don't make your employees scapegoats for failure. They'll become reluctant to ask questions and may hide something they did that could compromise the company for fear of the repercussions.
Anyone who is good at their job can learn how to improve their cyber hygiene and learn how to spot and respond to social engineering attacks. Blaming or shaming employees for not learning quickly and sufficiently enough avoids the reality: Due to a lack of awareness about how to teach security awareness, the training regimen isn't up to par.
4. A Culture of Distrust
Many security awareness training programs begin down the proper path but go astray for a pair of reasons: They change the rules as they go along, or they change the cadence of their lessons. A frequent--and perhaps surprising--problem is that many awareness programs proceed along just fine, but program managers and administrators can't help but tinker with it.
Often, they decide to veer away from what's succeeding from a training perspective and "trick" employee learners. Their tricks may involve training quizzes and other tests, but they most often rear their head during phishing simulations, as new tools enable administrators to outwit even the savviest readers of email. Such chicanery, of course, only backfires and makes employees skeptical of the entire program itself.
Another means of distrust occurs when security awareness training sessions are delivered on a haphazard schedule. If the time between lessons varies from a few weeks to several months with a total lack of consistency, employees will again lose faith in the program and their participation will wane.
5. Simply Checking a Box
While companies understand that security awareness programs are becoming essential to combat evolving threats, they don't necessarily understand how critical their choice becomes in deciding which program to implement and figure any will do. If they're lucky, this creates a "false sense of cybersecurity," but many times they discover its ineffectiveness through several unfortunate incidents or ongoing headaches in managing it and getting employees to buy-in and participate.
A program's content must be timely and engaging. And the program itself must be relatively easy for the organization to manage and customize--or be provided as a fully managed solution, so the company's stakeholders can review and gauge employee participation and performance without worrying whether they're being taught correctly and without having to deal with technical aspects of managing the program just to get it to work.
Build a Culture of Security
Consider the five death knells of a security awareness program mentioned here before implementing your own program. Just remember: Security awareness training is absolutely necessary in navigating today's threat environment minefield. And the right security awareness solution will keep your employees ready to defend your organization at all times, while building a culture of security across every team and every department.