Poor training is hindering companies’ ability to protect themselves from cybersecurity risks, according to a report from email security company Tessian.
Three in four companies in the UK and US have experienced a security incident in the last year, said the report, titled How Security Cultures Impact Employee Behavior. Poor cybersecurity awareness programs and internal communications are primarily to blame.
Part of the problem is that employees don’t understand their role in protecting the company. Almost half (45%) of all workers said they didn’t know who to report a security incident to, and 30% didn’t feel they had a role in helping with cybersecurity at all.
Poor training and awareness exercises are a contributing factor. While 85% of employees participate in security awareness programs, almost two-thirds (64%) don’t pay full attention during the training. In addition, over a third (36%) consider the security training boring, the report found.
Security teams, which could play an important role in engaging employees, don’t get enough of a say at the beginning of an employee’s relationship with the company. Just 39% of security leaders say that their security teams play an important part in the employee onboarding process, compared to 48% of respondents overall.
Mismanaged anti-phishing exercises are an issue for half of employees, who said they have had negative experiences with phishing simulations. This hinders the effectiveness of anti-phishing training, with one in four companies reporting that an employee had fallen for a phishing attack in the prior 12 months.
Outside of specific training sessions and exercises, internal communications is another problem for workers, according to the report. Only one in three were satisfied with their IT or security department’s communication.
The canker in cybersecurity culture extends beyond basic awareness to employee loyalty. The report found 45% of IT leaders reporting increases in data exfiltration incidents, citing people that took data when they left the job as a key issue. One in three employees admitted to taking data with them when they quit, Tessian added.
Tessian interviewed 2000 UK and 2000 US employees for the report, along with 500 UK and US IT decision makers.