Hornetsecurity on Thursday reported that 33% of companies are not offering any cybersecurity awareness training to users who work remotely.
The study also pointed out that this causes security issues because nearly three-quarters, 74%, of remote staff have access to critical data, which creates more risk for companies in this new hybrid-working world.
And despite the current lack of training and employees feeling ill-equipped, 44% of respondents say their organization plans to increase the percentage of employees who work remotely.
“Traditional methods of controlling and securing company data aren’t as effective when employees are working in remote locations and greater responsibility falls on the individual,” said Daniel Hofmann, chief executive officer of Hornetsecurity. “Companies must acknowledge the unique risks associated with remote work and activate relevant security management systems, as well as empower employees to deal with a certain level of risk.”
Roger Grimes, data driven defense evangelist at KnowBe4, added that there’s an even more depressing statistic: most of the organizations that do offer training do so only once a year, and KnowBe4 data shows that once-a-year training has very little benefit, it’s as if the company didn’t do any training at all.
Grimes said social engineering takes place in 70% to 90% of all successful hacking and yet almost no organization spends even 5% of its IT and security budget to address it.
“This fundamental misalignment of risk and lack of appropriate mitigation has allowed hackers and malware to be so successful for so long across most organizations,” said Grimes. “Every organization needs to realize that the No. 1 best mitigation they can do is security awareness training to employees. No other single mitigation…not firewalls…not antivirus scanners, not intrusion detection software…will have as much benefit. But the security awareness training needs to be aggressive and frequent, at least once a month and include simulated phishing tests at least once a month where employees failing the tests get more training until they aren’t failing the tests.”
Darryl MacLeod, vCISO at LARES Consulting, said for organizations, an investment in cybersecurity training can help ensure that their employees are up-to-date on the latest threats and trends. MacLeod said this can help to reduce the risk of a data breach or other cyberattacks. For individual IT professionals, security training can also help them stay ahead of the curve and sharpen their skills.
“One emerging trend I’ve seen is the use of gamification in security training,” said MacLeod. “Games can be a fun and engaging way to learn about complex topics like cybersecurity. By incorporating game mechanics into security training, learners can develop the skills they need to succeed in the industry.”
Baber Amin, COO at Veridium, said human nature being what it is, companies must recognize that employee training will always be important but never foolproof. Amin said the No. 1 reason for most attacks is credential hygiene.
“Since passwords are the No. 1 credential, organizations whose employees handle sensitive data should consider moving to eliminate the weakest link in the access chain and go passwordless,” said Amin. “When dealing with sensitive data, it’s important to eliminate credential sharing and the abuse that fosters, reduce help desk calls, reduce the footprint for social engineering attacks, and mitigate fallout from third-party password database breaches.”