Cybersecurity training may be broken - report
Cybersecurity training during the pandemic have proven to be insufficient, according to a new survey from TalentLMS.
The survey, conducted by online training platform TalentLMS and vulnerability management firm Kenna Security, found that while 59% of employees received cybersecurity training from their companies in response to the COVID-19 outbreak, having a cybersecurity training programme is not enough.
The report sheds light on the effectiveness of cybersecurity training, and examines employees’ awareness, habits, and knowledge related to staying safe in cyberspace.
The survey found that employees are most knowledgeable in laptop security, while they are unaware of how to secure sensitive data and recognse harmful files.
According to the findings, 59% of employees were trained on cybersecurity as a response to the work-from-home shift caused by COVID-19. However, it found having a cybersecurity training programme in place isn’t enough to ensure cyber safety, with 61% of employees who have received cybersecurity training failing a basic test.
Surprisingly, the highest fail rates were reported in the following two industries: Information services and data (83% of employees failed) and Software (73% of employees failed), according to the study.
Meanwhile, 74% of respondents who answered all seven test questions incorrectly said they feel safe from cybersecurity threats. They survey revealed 33% of employees store their passwords in their browsers, even though that puts network security at risk.
Remote employees also collectively feel less safe from threats (63%), than office employees (51%).
While the survey results show that training has a positive impact on some aspects of employees’ cybersecurity habits, such as protecting their computers and correct password management, these effects are not consistent across all areas. This brings to light some of the “blind spots” of cybersecurity training programmes, which, if left unaddressed, create vulnerabilities that expose employees and their companies to cyber risks and attacks.
"Simply offering a cybersecurity training program does not guarantee a skilled or educated staff," says Victor Kritakis, chief information security officer, TalentLMS.
"Such programmes are usually theoretical, full of technical terms, and, well, boring. Cybersecurity training should be fun, hands-on, and use real-life examples," he says.
"And this is because staying safe and protected in cyberspace is a hands-on, practical skill.
When asked what would make cybersecurity training more engaging, 52% of employees said they would like it to be presented in a simpler and less technical way, while 50% would like it to be more fun and gamified.