Data breaches cost UK organisations an average of £2.9 million per breach.
In 2019, human error accounted for 90% of breaches.
Those facts alone are usually enough to convince people security awareness training is important. Usually.
Only 1 in 9 businesses (11%) provided cyber security training to non-cyber employees in the last year, according to the Department for Digital, Culture, Media & Sport’s recent Cyber Security Skills report.
Where training is given, it is typically mandatory, but in 3 out of 10 cases (30%) in the private sector, it’s not.
It appears that many are yet to be convinced about the benefits of security awareness training.
Why, then, is security awareness training still so important today? Here are 7 reasons.
1. To prevent breaches and attacks
Starting with the most obvious, security awareness training helps prevent breaches.
The precise number of breaches security awareness training prevents is difficult to quantify. In an ideal world, we’d be able to run a controlled trial comparing those who received training and those who didn’t.
This might be a step too far for most organisations. But that doesn’t mean we can’t demonstrate the ROI of security awareness software. It is possible to compare the number of incidents before and after awareness activities. The resulting metrics can be used to glean an indication of ROI.
Data breaches can cost millions. Meanwhile, security awareness training is relatively inexpensive. It doesn’t take much to get serious returns.
2. To build a culture of security
A culture of security has long been seen as the holy grail for chief information security officers (CISOs). Equally, such a culture is seen as notoriously difficult to achieve.
With the aid of security awareness training, some are heading in the right direction.
Creating a culture of security means building security values into the fabric of your business. Training that covers situational awareness (why someone might be at risk), plus work and home-life benefits is a good way to bring people onboard.
Advanced training platforms can help monitor and develop a culture of security, making people your first line of defence.
3. To make technological defences more robust
Technological defences are a valuable weapon in preventing breaches. But technological defences require input from people. Firewalls need to be turned on. Security warnings need to be acknowledged. Software needs to be updated.
Few businesses today would dream of operating without technological defences. And yet, without security awareness training, technological defences cannot fulfil their potential.
Attackers today rarely bother trying to attack businesses through technological means only. Today’s attackers typically target people, as they are seen as an easy way into protected networks.
4. To give your customers confidence
Consumers are increasingly aware of cyberthreats. As customers, they want to feel safe and secure.
A business that takes measures to improve cyber security will be better able to generate consumer trust. And a trusted business is one that customers stay loyal to.
This isn’t conjecture. A recent survey by Arcserve, shows that 70% of consumers believe businesses aren’t doing enough to ensure cyber security. Nearly 2 out of every 3 consumers would likely avoid doing business with a business that had experienced a cyberattack in the past year.
Clearly, customers pay attention to security credentials. When you introduce security awareness training, your customers see you as more responsible. That can only be a good thing.
5. For compliance
To be clear, compliance alone is no reason to introduce security awareness training. Those who introduce training solely to comply with regulations risk doing the bare minimum.
Still, more and more regulators are demanding specific industries implement security awareness training.
“Firms of all sizes need to develop a ‘security culture’, from the board down to every employee. […] Cyber security is a shared responsibility, and we take a co-operative approach to address this threat, working with government, other regulators, nationally and internationally on this important issue.”
CybSafe partner, the Financial Conduct Authority (FCA), on cyber resilience.
Compliance can be a happy by-product of security awareness training. Those who introduce it become more secure and, in many industries, meet regulatory requirements.
6. To be socially responsible as a business
As WannaCry and NotPetya demonstrated in 2017, cyberattacks can spread at rapid speeds. The more networks that become infected, the more at-risk other networks become. And one network’s weakness increases the overall threat for others.
The absence of security awareness training in one organisation makes other organisations vulnerable. It’s a little like leaving your house door unlocked – with the keys to next door waiting inside.
Security awareness training doesn’t just benefit you. It benefits your customers, your suppliers and everyone else interlinked with your network.
7. To improve employee wellbeing
It’s well-documented that happy people are productive people. So, it’s worth remembering that security awareness training doesn’t just keep people safe at work. It keeps them safe in their personal life, too.
For the most part, this particular benefit remains unseen. If security awareness training does what it’s supposed to do, it isn’t just an employer benefit. It’s an employee benefit, too.