Tue | Apr 23, 2019 | 8:05 AM PDT

Training fatigue is a (valid) concern for organizations of all sizes in all industries, but a particular worry for large, publicly-traded companies and those that must deliver compliance-based training tied to regional, national, and/or global regulations.

This and other reasons—for example, tight budgets, limited resources, and the perception that better cybersecurity practices don’t generate revenue—lead organizations to deprioritize security awareness training, relegating it to a “nice to have” rather than a “need to have” status.

It’s here that many organizations make a critical misstep. Digital data is woven so tightly into the fabric of business processes and procedures—in all roles and all departments—that cybersecurity skills can’t afford to be minimized.

And whether you’ve been personally downplaying the need for organization-wide cyber hygiene or you’re fighting to change decision makers’ hearts and minds, here are three reasons you should work to reframe the conversation around security awareness training.

#1: Attackers are focusing on people… but many orgs aren't

The 2019 State of the Phish Report and other pieces of Proofpoint research clearly illustrate cyber criminals’ increased focus on human targets and the use of crafty social engineering techniques to gain access to data, devices, and systems. Attackers search up and down org charts to find inroads—it’s not just about VIPs. Lower-level workers can be targeted as frequently (or even more frequently) than C-Suite executives.

Every worker in your organization could be a weak link or a strong one. But like physical prowess, cybersecurity strength cannot be developed with irregular practice and intermittent attention to skill development. Sporadic simulated phishing attacks and infrequent training will not allow your end users to improve (or allow you to reduce end-user-driven risk). You must give employees the opportunity to learn over time and build the skills that are needed to better protect devices and data. 

#2: End-users are inextricably linked to InfoSec and IT

InfoSec and IT teams are tasked with ensuring that digital devices, processes, and procedures run as smoothly and efficiently as possible. Even when successful phishing attacks, malware infections, and data breaches result from end-user mistakes, InfoSec and IT teams are left to answer why (and clean up the mess).

Though this can breed frustration (on both sides), the reality is that end-users and security professionals have a symbiotic relationship—and that relationship is undermined by an “us vs. them” mindset. A greater commitment to security awareness training can improve things for all parties. End-users who are more knowledgeable are more careful, and they create fewer incidents for security teams to identify and remediate.

#3: People appreciate portable skills 

End-users can be one of the obstacles to success when it comes to security awareness training. But in these cases, lack of communication is frequently at the root of the issue.

End-users should be regarded as stakeholders in cybersecurity education programs—something that many organizations miss (to their peril). Employees who feel they know what is being asked of them—and why—tend to be more invested in learning new skills. In addition, it’s to your benefit to remind end-users that cybersecurity skills are portable; they can be used at home (to improve security of personal devices and data) and shared with friends and family (something many are eager to do).

Don’t underestimate employees’ desire to learn new skills that are personally relevant and useful. Email, online banking, text messaging, and social media are but a handful of the ways individuals communicate and share data on a daily (if not hourly) basis. As such, cybersecurity skills can be frequently put to good use at work and at home. 

Developing an ongoing, comprehensive security awareness training program is essential to establishing boundaries, instilling good habits, and helping users understand the reasoning behind your policies.

To learn how to make the case for your training program to management and end-users, register for the April 24th SecureWorld web conference, From Skeptics to Champions: Selling the Value of Security Awareness Training Throughout Your Organization.

Comments