One of the several steps a new employee takes in the onboarding process often includes reading the cybersecurity tutorial. Along with checking off that they have read the employee handbook and chosen a health plan, knowing the differences between phishing and Trojan horse attacks can often feel like an unnecessary roadblock for new employees starting their first day of “real” work.
But there are real-world consequences to ignoring this important tutorial. For instance, according to a survey conducted by training solution provider Epignosis and vulnerability management company Kenna Security, 61% of employees who received cybersecurity training still failed a basic cybersecurity test.
What does this mean for HR leaders?
Cybersecurity is a responsibility shared by both the IT and HR departments, says Fred Bellamy, a member of Dickinson Wright, a law firm that specializes in cybersecurity and risk issues.
“Cybersecurity is only as strong as the organization’s weakest link, so if many employees don’t understand even their most basic training, then the organization is vulnerable to the operational, reputational and legal risks from a cyber attack,” he says. “Investing a lot of resources in technological defenses can be defeated by human error among poorly trained employees.”
After a data breach, government investigators will frequently request the organization’s training materials, and if they’re inadequate, that can hurt the company in defending its cybersecurity practices, according to Bellamy.
“People are interested in protecting their organizations—and themselves and their families in their personal lives—so choose training programs that people will pay attention to and learn from,” he says. He adds that real-life stories of data breaches, gamified quizzes and other techniques can make sessions more engaging for employees.
There are a few reasons why cybersecurity training is usually far from exciting. The first is that employees often don’t see how cybersecurity training relates to their direct responsibilities, says Christina Gialleli, director of people operations at Epignosis.
“Other reasons that employees are turned off by cybersecurity training are they believe they already know everything there is to know about it, and cybersecurity training materials often include overly complicated, technical language that is difficult for employees to digest and retain,” she says, adding that Epignosis survey respondents suggested creating tutorials with simpler, less technical language, and adding fun, game-like elements and interactivity.
The survey of 1,200 employees also found that 59% of employees were trained on cybersecurity as a response to the work-from-home shift caused by COVID-19. Of the 61% who failed the basic test, the highest fail rates were reported in industries that should presumably know better: information services and data (83% of employees failed) and software (73% of employees failed). A full one-third of employees surveyed store their passwords in their web browsers, even though this practice puts network security at risk.
Meanwhile, as the shift to remote work continues, HR leaders should be cognizant that remote employees collectively feel less safe from threats (63%) than office employees (51%).
The way HR leaders present cybersecurity training can have a big impact on whether employees believe the training is ultimately worth their time and investment, says Gialleli.
“Employees want to feel like they are truly benefitting from training courses and not just completing them to check off a box,” she says. “But it’s equally important to make employees understand why cybersecurity is important and that, within the organization, they are the first line of defense against attacks.”