Many companies provide training sessions on cyber security, but how come employees lack so much engagement? According to the report ‘How security culture impacts employee behaviour’, 85% of people surveyed took part in cyber security training. Nearly two-thirds (64%) of respondents said that they didn’t pay attention and 36% said they were bored. Moreover, 30% of employees didn’t believe that they had a role to play in cyber security while 45% didn’t know how to or who to go to, to report an incident.
In addition, more than half of those surveyed claimed that certain actions they performed weren’t risky. For instance, downloading apps to devices, logging on to public WI-FI, sharing data across accounts, and much more. Despite this, many companies believed that they had a strong security culture. However, Tessian, which conducted the report, explains how leadership has more work to do due to the high number of cyber incidents still occurring. In this article, we’ll be exploring why employees are rejecting security training, and provide solutions on how companies can overcome this.
Why are Cyber security training exercises boring for employees?
The reason why staff aren’t engaging with cyber security training is due to the training materials being poor and not well delivered. Legal and compliance professionals who are responsible for security training programmes, which usually consist of basic PowerPoint presentations, are not usually trained to deliver a well-structured programme. They do not understand how to interact with the rest of the company, and this is down to the fact that there is a disconnect between the IT security team and the wider business.
Scaremongering people with cyber security risks isn’t the best solution
The main source of disconnect is due to leadership poorly executing security exercises, which can, in turn, spread fear and uncertainty. Undoubtedly, this can make many people become disengaged in training sessions. Further to this, security practices are not integrated into their daily work. Approximately 50% of employees surveyed, found that when participating in phishing simulations, it caused a negative experience. For example, a test was carried out at West Midlands Trains where employees were sent an email promising them a bonus. This was a security test but one that went horribly wrong. Employees felt that they had been deceived.
Top guidelines on how to get employees engaged in security training
It is essential for security leaders to be more proactive and consider touchpoints such as onboarding, office changes, and offboarding as a chance to reinforce key security messages. Tessian explains that when onboarding new workers, it is a great opportunity to capture their attention before they get immersed in their day-to-day work. Offboarding procedures must also be carefully executed to ensure that crucial data is not lost when an employee leaves the business.
The report highlights the importance of establishing better communication across the business. Security experts should be mindful of how much training information is shared, who it has come from, from which channels, and how frequently.
To successfully achieve this, here are some great tips that can be helpful:
Improve communication by removing jargon, technical terms, and only provide ‘need to know information’
Tailor your communication approach to specific departments/groups of people. Not everyone has the same level of understanding or challenges
Appoint an individual for everyone to reach out to for support and be the main point of contact
Establish consistency in format and rhythm for security communications e.g., monthly bulletin.
Improve your workforce’s engagement in security training with better communication. Learn more about cyber security practices here.
