Training fatigue: It’s a (valid) concern for organizations of all sizes in all industries, but a particular worry for large, publicly traded companies and those required to deliver compliance-based training tied to regional, national, and/or global regulations. This, along with other reasons — for example, tight budgets, limited resources, and the perception that better cybersecurity practices don’t generate revenue — lead organizations to deprioritize security awareness training, relegating it to a “nice to have” rather than a “need to have” status.
It’s here, we feel, that organizations make a critical misstep. Digital data is woven so tightly into the fabric of business processes and procedures — in all roles and all departments — that cybersecurity skills can’t afford to be minimized. And whether you’ve been personally downplaying the need for organization-wide cyber hygiene or you’re fighting to change decision-makers’ hearts and minds, here are three reasons you should work to reframe the conversation around security awareness training:
#1: Attackers Are Focusing on People … but Many Orgs Aren't
Our recently released State of the Phish Report and other pieces of Proofpoint research clearly illustrate cyber criminals’ increased focus on human targets and the use of crafty social engineering techniques to gain access to data, devices, and systems. Attackers search up and down org charts to find inroads — it’s not just about VIPs. Lower-level workers can be targeted as frequently (or even more frequently) than C-Suite executives.
Every worker in your organization could be a weak link or a strong one. But like physical prowess, cybersecurity strength cannot be developed with irregular practice and intermittent attention to skill development. Sporadic simulated phishing attacks and infrequent training will not allow your end users to improve (or allow you to reduce end-user-driven risk). You must give employees the opportunity to learn over time and build the skills that are needed to better protect devices and data.
#2: End Users Are Inextricably Linked to Infosec and IT
Infosec and IT teams are tasked with ensuring that digital devices, processes, and procedures run as smoothly and efficiently as possible. Even when successful phishing attacks, malware infections, and data breaches result from end-user mistakes, infosec and IT teams are left to answer why (and clean up the mess).
Though this can breed frustration (on both sides), the reality is that end users and security professionals have a symbiotic relationship — and that relationship is undermined by an “us vs. them” mindset. A greater commitment to security awareness training can improve things for all parties. End users who are more knowledgeable are more careful, and they create fewer incidents for security teams to identify and remediate.
#3: People Appreciate Portable Skills
End users can be one of the obstacles to success when it comes to security awareness training. But in these cases, lack of communication is frequently at the root of the issue.
End users should be regarded as stakeholders in cybersecurity education programs — something that many organizations miss (to their peril). Employees who feel they know what is being asked of them — and why — tend to be more invested in learning new skills. In addition, it’s to your benefit to remind end users that the skills they learn are portable; they can be used at home (to improve security of personal devices and data) and shared with friends and family (something many of our customers’ end users are eager to do).
Don’t underestimate employees’ desire to learn new skills that are personally relevant and useful. Email, online banking, text messaging, and social media are but a handful of the ways individuals communicate and share data on a daily (if not hourly) basis. As such, cybersecurity skills can be frequently put to good use at work and at home.