Cyber security efforts have long been focused on the technology element, but companies are missing out if they fail to focus on the human factor as well. That’s because, as threat actors continue to grow in sophistication, they still rely on humans to fall victim to their schemes, especially in the ongoing remote-work environment.1
Unfortunately, existing cyber security training programs can typically be check-the-box exercises that fail to meaningfully engage employees — resulting in a lack of awareness and education when it comes to cyber security vulnerabilities and individuals’ roles in their company’s cyber security defenses. In today’s remote work environment, the cyber security imperative is more important and multifaceted than ever, and educating and engaging employees is critical.
Learn more through these insights on best practices, which will help information security and information technology leaders address the human factors in cyber security and ultimately create more effective cyber training and awareness programs:
Q: What are the gaps in companies’ employee cyber security awareness, training and education programs?
A: For many companies, it depends on where they are on the cyber security continuum and also in their cyber journey. Companies that are earlier on in the process are often focused more on the tech and IT side, which are foundational building blocks of a successful cyber security strategy. But across the board, companies should invest more in the human element. Organizations with comprehensive cyber education programs do that, because when you look at cyber incidents, breaches, network compromises, malicious insiders or former employees, there’s one common denominator — it’s humans. And several lines of defense are managed and maintained by humans. Yet the focus with many companies is often on the tech and infrastructure.
The challenge too is that existing trainings and education approaches are not always effective. Consider that employees are busy, focused on their day-to-day work, and inundated with trainings from various parts of the organization. Trainings should be more effective, and companies should also do more to influence behaviors and mindsets. It is not enough to tell people what to do; the concepts and behaviors, and the “why,” should be more deeply embedded in this work.