Anybody who has spent more than five minutes in cyber security has heard fairly regularly that there is a skill shortage. Online searches for ‘cybersecurity training for employees’ have risen 114% over the past four years. To take this one step further, additional data revealed that searches for ‘cybersecurity awareness training’ increased by 66% in the same period.
Surely, this is a good thing that companies are proactive in securing their organisations? Unfortunately, we’re not so sure.
Due to the ongoing skills shortage, many companies cannot fill the critical roles of security awareness professionals or CISOs. Other C-suite members are making security decisions with no relevant experience.
Research from the World Economic Forum revealed that 59% of cyber leaders said they would find it challenging to respond to a cybersecurity incident due to the skills shortage within their team. With the cybersecurity skills gap, organisations will remain at risk in protecting their infrastructures.
A report by the UK government found that 51% of all private sector businesses have a basic technical cyber security skills gap. That is 697,000 businesses in the UK exposing themselves to risk.
These continuous searches for cyber security awareness training and leaders not knowing the basic skills to survive suggests that employers look to their entire workforce to pick up the slack to reduce the likelihood of attacks.
However, this is no small feat to rely on your entire workforce to defend your organisation with just awareness training. A study by Interisle analysed over 3 million phishing reports representing over 1.1 million phishing attacks. They found that phishing attacks have increased by 61% from May 2021 through April 2022.
Trusted reports on phishing email stats show us that over 3.4 billion phishing emails are sent daily. That is one email per person for nearly half the entire world’s population, and we are only talking about phishing emails which is just one attack method of many. Regardless of your company size, it only takes one employee to fall victim to a phishing attack to jeopardise your entire organisation.
IBM’s recent cost of a data breach report revealed that the global average total cost of a data breach increased to $4.35 million USD in 2022, an increase of 2.6% from 2021.
We’re not trying to be all doom and gloom. It’s just that when we see the word awareness sandwiched between cyber security and training, it makes us squirm uncomfortably. Awareness means “knowledge and understanding that something is happening or exists, promoting a heightened awareness of the problem”. Understanding that a problem exists is not solving the problem; it is just acknowledging that it’s there.
With October being the famed “Cyber Security Awareness Month”, we want to put our vote in to have the term “awareness” retired as it is not doing organisations any good. Ensuring that businesses have a security culture that fosters an environment where people prevent breaches is the only way to make a dent in the risks posed by the skill shortage.
The most realistic way of doing this is through behaviour changes with accurate, actionable data. When we say actionable data, it’s important to picture utilising the apps and tools you already have within your organisation and how continuous visibility of your employees' interactions with varying software allows you to monitor and report effectively. If you have greater visibility into problem areas, it means faster intervention to resolve those issues that leads to changes in employee behaviours.
By utilising actual behaviour data of your employees, you can build a clear picture of problem areas. This gives you a lot more control versus the usual awareness tactics. Teams taking part in various training methods, such as reading yearly security materials or viewing interactive content, will not be retained throughout the year. Research shows that, on average, people forget 70% of what they are taught within 24 hours of training.
Let's take an example here. If you want to become good at a sport, you go and get a coach who works with you every single day. This coach doesn't show you one video a year on how to do things correctly; they look at every element of your game to show your weaknesses and how to improve. The same attitude can be applied to cyber security, where you find employees’ weaknesses and then send out real-time nudges across various platforms to keep best practices at the front of their minds.
Another example of an industry-standard technique which is tried and true is simulated email phishing and training. Combining these two juggernauts means that Michael, your newly hired SDR, will not fall for the standard phishing email test you send to all employees. Maybe he will, perhaps he won’t, but there’s no way to be sure.
What if you could target Michael specifically with intelligent automated phishing emails that understand multiple different types of emails that might work? Maybe you send an authentic-looking email promising him a free Costa coffee if he follows a very tempting email link. Unfortunately, he probably will click that link because he needs that caffeine hit to reach his new leads quota. On the upside, you know what works for him, and you can send an immediate nudge to stop that behaviour before the actual fake Costa email comes into his inbox.
We think that it’s something to think about. Suppose you are struggling with filling basic technical cyber security skills gaps or don’t have the right security team to manage and educate on risks, then a solution needs to be implemented. If that solution relies on your staff to defend against potential attacks, then make sure they’re not only aware but also that it is ingrained in their culture and behaviours. Cyber security behaviour change could be a part of the solution for your organisation.