In 2018 data breaches cost UK organisations an average of £6.4 million.
Human error, meanwhile, accounted for anywhere between 60% and 90% of those breaches.
Those facts alone are usually enough to convince people security awareness training is important.
Perhaps surprisingly, a recent CybSafe survey found that around 31% of businesses are without security awareness training whatsoever. A recent UK government survey, meanwhile, found UK businesses introduced fewer new security awareness training measures than they did in 2017.
“Businesses are less likely to have implemented extra staff awareness or training measures than in the 2017 survey (18% versus 28%), despite human error or staff awareness continuing to be among the most common factors contributing to the most disruptive breach.” Department for Digital, Culture, Media & Sport Cyber Security Breaches Survey 2018
So while security professionals might already understand the benefits of security awareness training, others, it seems, are yet to be convinced.
Why, then, is security awareness training still so important today? Here are 7 reasons.
1. To prevent breaches and attacks
Starting with the most obvious, security awareness training helps prevent breaches.
The precise number of breaches security awareness training prevents is difficult to quantify. In an ideal world, we’d be able to run a controlled trial in which the exact same people working for the exact same company were divided into two groups: a control and a test group. The latter would be given training, the former would not. The two could then be compared.
Such a situation is an impossibility – but that doesn’t mean advanced security awareness training providers are unable to demonstrate the ROI of security awareness software. Although an imperfect measure, it’s possible to measure the incidence and prevalence of breaches pre- and post-awareness campaigns and use the resulting metrics to glean an indication of ROI. The metric might not be ideal, but considering the average costs of a data breach now run into the multi-millions, and considering security awareness training is relatively inexpensive, it certainly doesn’t take much for serious returns.
2. To influence company culture
A culture of security has long been seen as the holy grail for chief information security officers (CISOs). Equally, such a culture is seen as notoriously difficult to achieve.
With the aid of security awareness training, some are heading in the right direction.
At least some of today’s security awareness training platforms acknowledge the value of a secure culture – and attempt to measure it from the outset. The same metrics are then monitored as time goes on.
By keeping an eye on indicators of culture, advanced security awareness training platforms can actually help security professionals monitor, nurture and develop a culture of security – making their people a proactive defence.
3. To make technological defences more robust
Technological defences are, clearly, a valuable weapon in preventing breaches. But technological defences require input from people. Firewalls need to be turned on. Security warnings need to be acknowledged. Software needs to be updated.
Few businesses today would dream of operating without technological defences. And yet, without security awareness training, technological defences are not used to their full potential.
To make matters worse, attackers today rarely bother attempting to penetrate businesses through purely technological means. Today’s attackers typically prefer to target people, who are often seen as an easy way in to protected networks.
4. To win more customers
Security awareness training helps people win more high-profile contracts.
This isn’t conjecture. During CybSafe’s recent survey of 250 IT decision makers, more than half said a business customer had made cyber security precautions part of either an existing contract or part of the RFP process in order to win the contract. More than two thirds said at least one customer had required the achievement of a recognised cyber security standard.
While security awareness training might seem unimportant to some, it’s often far from unimportant to some business customers.
5. For compliance
To be clear, compliance alone is no reason to introduce security awareness training. As we’ve highlighted before, those who introduce training solely to comply with regulations are probably heading for trouble.
But more and more regulators are demanding specific industries implement security awareness training.
“Over the next year, we will strengthen our supervisory assessments of the highest impact firms to better understand their current and planned use of technology, resilience to cyber-attacks and staff expertise. We will also review how governance, strategy, systems architecture, risk management and culture contribute to firms’ data security.”
CybSafe partner, the Financial Conduct Authority, on shaping future policies
Compliance can be a happy offshoot of security awareness training. Those who introduce it become more secure and, in many industries, meet a regulatory requirement.
6. To behave in a socially responsible manner
As WannaCry and NotPetya have recently demonstrated, cyber attacks spread at unprecedented speeds. The more networks that become infected, the more at-risk other networks become.
Equally, thanks to connected networks, a decrease in individual network security increases the overall threat landscape for others.
The absence of security awareness training in one organisation makes other organisations vulnerable. It’s a little like leaving your house door unlocked – with the keys to next door waiting inside.
Security awareness training doesn’t just benefit you. It benefits your customers, your suppliers and everyone else interlinked with your network.
7. For employee wellbeing
It’s well-documented that happy people are productive people – hence employee welfare schemes, company away days and a large part of any given HR department’s focus. So it’s worth remembering: security awareness training doesn’t just keep people safe at work. It keeps them safe in their personal life, too.
For the most part, this particular benefit remains unseen. If security awareness training does what it’s supposed to do, it isn’t just an employer benefit. It’s an employee benefit, too.