So what are the driving factors that make cybersecurity training so important?
Firstly, cybersecurity awareness helps to protect your remote workers. According to a Gartner survey, 90% of HR leaders indicated that they now completely trust employees to work from home. How do you protect them from an ever-increasing number of cyber-attacks? Yes, you can implement technologies that secure their connectivity – like VPNs – protect their local perimeter and the “service edge” – like secure web gateways – and secure access to key applications and digital assets – like two-factor authentication. You can design ad-hoc cybersecurity policies for remote workers - like “no printing at home” or “always use your VPN.” And still, cybersecurity education and awareness are hard to beat. While people may find expedient ways to evade security controls or ignore company cybersecurity policy and compliance to be more productive, they need to be aware of the risks they can cause to their organization when bypassing an information security policy or cyber security control.
Secondly, influencing cybersecurity behaviors can bear a phenomenal return on investment. Cybersecurity training is an essential means of creating a culture of cybersecurity – defined by Huang and Pearlson as the “beliefs, values, and attitudes that drive employee behaviors to protect and defend the organization from cyber-attacks.” Changing basic beliefs at the leadership, group, and individual level can lead to tangible results – as reported by Verizon – like an improvement in cyber threat susceptibility, positive response to cyberattack simulations, and increased number of phishing reports. So positive cyber awareness training can lead people from any department to engage proactively and change their cybersecurity actions (e.g., use a password manager), their habits (repeatable actions), and ultimately, their cybersecurity behaviors (a combination of actions and habits).
Finally, data is everywhere, and it can take oodles of different forms in today’s world. People are constantly producing, sharing, and distributing data. Sensitive information is continually manipulated, reformatted, or modified. Inevitably, users constantly create new data exfiltration channels. Data security teams can work hard and take a structured approach of chasing after data – the classic multi-stage method of searching and labeling data, running data classification software, and implementing data loss protection technologies and controls. But 80 to 90 percent of data generated by organizations is unstructured (images, videos, audio files, emails, messages on chats, screenshots, presentations – you name it), and eventually, people are the biggest variable in data security. A sound security awareness and cyber education program can lead employees to make security-conscious choices, guide user actions, and educate people to make the right decisions when interacting with critical data.