Cybersecurity and compliance training programs are now big business. According to Cyber Security Ventures, the security awareness training market is expected to reach $5.6 billion in 2023 and exceed $10 billion in the next four years. This market boom is not surprising. Cyber threats are widespread, and large-scale attacks continue to make headlines, most recently in the UK, hitting the British Library and disrupting the functioning of libraries. All of this proves that all organizations, regardless of their size, are at risk of a breach.
Social engineering techniques, where attackers target people with access to a system (rather than the system itself) and manipulate them into handing over control, were the most popular malicious tactics in 2023. Therefore, companies are right to recognize that people are key. Vulnerability.
Annual cybersecurity awareness training is required by most organizations to improve the cyber awareness skills of all employees in all departments so that they can spot threats and respond appropriately before they become major problems. is scheduled regularly. In the face of rapidly evolving security threats, this training is often outdated, and it can take months or even years before people are able to recognize the tactics used.
Netskope, EMEA Chief Information Security Officer.
Should training be conducted earlier than usual?
Ask any security leader, and they'll have to admit that employees find annual cybersecurity training time-consuming and uninspiring. Often seen as a distraction for employees, they often click through, skim, or watch videos at double speed to reach the certificate of completion and check the box. Pursue every shortcut you can find to stay employed.
Additionally, the interactivity of each annual training course is often limited, making it difficult to capture and maintain employee attention. Without active engagement, retention rates plummet, and many training plans lack some form of connecting employees to real-world scenarios that may occur in a particular job.
Even among the outliers who find annual training fascinating and insightful, there is still little evidence that it truly educates individuals and leads to positive behavioral changes. As a result, they are little more than compliance checkboxes rather than active measures to build a culture of vigilance and protect against threats. After all, this is not an efficient use of both time and resources, and cyberattacks continue their steady momentum.
It's also worth noting that malicious actors structure their campaigns in ways that cause even the most trained employees to forget common cybersecurity logic. This includes preying on emotional rather than logical behavior and using a sense of urgency to specifically steer the victim away from a logical and disciplined approach.
So what can we do beyond education? Organizations everywhere need behavioral interventions to help get people back to thinking logically before taking big cyber risks.
A small step towards strengthening cyber hygiene
Small, regular, person-centered interventions are the ideal method for effective long-term behavior change. One example is nudge theory. It is a set of general principles intended to guide human behavior in a more desirable direction. This is a well-established concept that has been very successful in the past, guiding people towards healthier food choices and greener behaviors, and is a key moment in moving past (often automatic) behaviors. requires only minor changes in decision-making. So it seems like a no-brainer to apply this to the world of cybersecurity.
Just as a radar speed sign indicates your current speed and gives you time to think and adapt your actions, a signal will work to let you know when you are about to engage in risky cyber behavior and remind you to slow down. need to do it. And think.
This human-centered prevention route can be very effective, and this tool should be more widely known and made available to businesses. For example, real-time user coaching leverages AI detection to instantly flag high-risk behaviors for individuals and suggest alternative actions to employees.
This is especially important in the era of generative AI, where third-party AI tools have become freely available to many enterprises and platforms such as ChatGPT and Google Bard are seen as go-to assistants for many administrative tasks. is. The risk here is that many employees are uploading sensitive data (from source code to personal information) to these platforms, significantly increasing the risk of data loss.
In most cases, employees accessing these services are unaware of the risks and are trying to be more productive using tools they are familiar with or have stumbled across. Rather than thwarting this activity completely and opening the door for disgruntled employees to work hard to circumvent the policy, just-in-time employee coaching can be tailored to the company's culture and tone. Provides an opportunity to account for risks at the moment they occur. And recommend a safer way to achieve the same result.
continuing education
This form of continuing education and reinforcement can provide employees with the information missing from annual training: an opportunity to put information into context and prevent it from quickly fading in memory. . Additionally, the practical application of consistent reminders in employees' daily work is an essential component to fully understanding and leveraging better cyber hygiene.
By coaching employees to become better cyber citizens and make safer decisions in real time, companies can prevent cyber incidents the moment they occur and add real-time impact to employees' daily work. can incorporate learning opportunities.
Rather than viewing humans as the weak link in your security posture, you should approach them as the last line of defense between your business and the cyber threat environment. It's important to recognize that and train people in the most effective and empowering way.
We have listed the best cloud antivirus.
This article is produced as part of TechRadarPro's Expert Insights channel, featuring some of the brightest minds in technology today. The views expressed here are those of the author and not necessarily those of his TechRadarPro or Future plc. If you're interested in contributing, find out more here. https://www.techradar.com/news/submit-your-story-to-techradar-pro
