Among the wide range of reasons that cause cybersecurity incidents, inappropriate use of IT resources by employees remains a challenge for businesses.
In 2019, half (52% enterprise, 50% SMBs) of companies faced a data breach because of this, as revealed in a Kaspersky survey of IT decision-makers. Quite surprisingly, companies experienced this almost as often as their devices being infected with malicious software.
This shows that businesses need to explain to their employees how to recognise ‘dangerous’ situations and ensure they know how to react appropriately. Security awareness training programmes are designed to teach important cybersecurity hygiene.
To make sure courses deliver the desired results, companies should meet modern learners’ requirements and the current trends in corporate education. Numerous factors have contributed to the evolution of security awareness training, be it the development of new technologies or changes in corporate culture.
Here are five trends to keep in mind when developing your company’s security awareness program:
1. Training should include tips for going online in your spare time
Organisations have been long exploring the opportunities of remote working, and the current pandemic has helped to fasten this process. Some companies have decided to allow staff to work remotely even after the COVID-19 lockdown measures are over. However, this does blur the boundaries between work and personal life. For instance, users may not be as conscious about using work devices to enjoy personal activities and vice versa.
Security awareness courses should cover the use of personal devices and accounts for work purposes and explain how personal and business resources can be interconnected.
Additionally, this tendency can be applied to prompt employees to learn cybersecurity basics.
Some companies use scaremongering to motivate employees to learn. For instance, they warn staff they will lose bonuses or will even be fired if they cause a data breach (in fact, 26% enterprises and 24% SMBs did so).
Unfortunately, fear does not work as a long-term solution to effectively motivate people.
Instead, a company can position a security awareness course as an opportunity to learn useful information that can be applied during employees’ spare time as well.
2. Course duration and required cybersecurity skills will be regulated
Today, many governments and industry requirements make it necessary for organisations to have security awareness training in place. The Health Insurance Portability and Accountability Act (HIPAA) makes it an obligation for businesses to “implement a security awareness and training programme for all members of its workforce (including management)”.
In practice, businesses do what they can to fulfil these requirements and often implement any training available to say they are compliant but with little substance. The statistics above showed that this approach doesn’t bring the required results.
That’s why regulations in industries, where cyberattacks are more critical for business, will become more detailed and stricter. For example, there may be requirements on the minimum time spent on security training or formal competence matrixes for non-security specialists.
For employees, the perception will change from the course being a mere formality to a beneficial and valued way to gain the skills required for the job market.
3. New cyberattack scenarios are coming, so courses will be updated
Cybercriminals always develop more sophisticated ways to conduct their attacks. Last year, researchers revealed that fraudsters impersonated a CEO of a German company by mimicking their voice deepfake and forced an employee to transfer €220,000.
Now, security awareness training advises employees who have received a suspicious letter to call and ask the addressee if they really requested this. But unfortunately, this advice will not be of help in this case.
We cannot say for sure if this sort of attack will be common, but this case demonstrates that security awareness training agendas should be reviewed regularly. So, future basic cybersecurity courses will include topics and recommendations that we cannot even foresee now.
4. Corporate education will resemble massive open online courses
If you have taken an online course during the COVID-19 lockdown, you are not alone – many online learning platforms saw an increase in registrations. And learning was considered as an activity done in people’s free time before the quarantine.
Even in 2016, 74% of adults in the USA participated in at least one educational activity because it was of personal interest to them. This illustrates the tendency that people want to engage with life-long learning and now continue to gain new knowledge after they have graduated from school or university.
People who regularly attend courses and see the different approaches to education will likely have more specific requirements for corporate training. Security awareness courses will change both in terms of content and form of delivery to suit the new normal of remote learning and work.
5. Security awareness training will be more personalised
The amount of information produced and consumed by people is growing – no doubt you are accustomed to this message. Employees who are taught information that’s already familiar to them may begin to resent awareness training or consider it a waste of time.
Therefore, security awareness training will become more tailored. These courses will take into account not just the skills and rules that are relevant and new for a role – good training should automatically be adjusted to a particular employee’s level of knowledge, their pace of learning and their individual learning preferences.
This will ensure employees are not burdened with irrelevant information and can instead spend more time focusing on the skills they do not already have.