Does Security Awareness Training Even Work?

With countless hours spent on crafting and delivering mind-numbing powerpoint presentations, you’ll be forgiven for asking the question: “does security awareness training even work?”.

Cyber attacks have become so commonplace that any organisation, no matter what size or sector, is likely to be hit at some point in time. Some organisations might use this as an excuse not to invest time and money in cyber security. But the fact is, it’s more than possible to reduce the risk of a cyber attack in an affordable and efficient way, rather than waiting until it’s too late.

“Security awareness training just doesn’t work!”

When looking at any type of training at work, many people picture full days in a classroom looking at outdated slides with little or no relevance to their actual role. Then, there’s often a test at the end of the session where the participants can just discuss the answers with each other so no actual independent learning takes place. This is exactly the same in the case of security awareness.

One of the most common feelings around why security awareness training does not work is the fact that it can be provided as a ‘one shoe fits all’ solution, and is never really tailored to the individual company or the exact training that they require.

Benefits of security awareness training?

In most organisations, whether it be intentional or malicious, employees pose the biggest security risk. Security awareness training which educates employees on both home and business best practices is the most effective way to make these policies second nature. This showing that, if you invest a substantial amount into intrusion and detection, it will become worthless if a third of your workforce is clicking on easily recognisable phishing emails.

With security awareness training, it enables companies to increase specific awareness of threats such as phishing and offering an insight as to whether employees are as informed as they once thought that they were. As 91% of all cyber attacks stem from a phishing attack, the importance of user-focused security awareness training is pivotal.

One of the biggest factors of why security awareness training is so important is that companies can gain actual data to understand whether the training has actually worked or not. As, generally speaking, the security team often only learn that training has not worked when an avoidable human-caused attack has already taken place

Finally, this does show that the need for security awareness training is huge as, for the advancement in cyber attacks, these issues are not just based at the door of the IT department, but also in regard to everyone in the organisation and the original opinion is that a sophisticated security awareness program can prevent 90-95 percent of attacks.

A 90 percent-plus reduction of loss will always be a good ROI for security, especially when the cost of the typical security awareness programme is minimal. More information can be found at usecure website.