Security awareness training programs fall short of business needs
Although 99 percent of organizations responding to a new survey suffered a security incident tied to human error in the past year, the majority state that they struggle to implement effective, scalable security awareness training (SAT) programs that reduce this risk.
The study from Abnormal AI of over 300 security and IT leaders in the US and UK finds that SAT is widely adopted, with 75 percent of organizations requiring employees to complete training at least quarterly.
However, many of these programs exist only to satisfy regulatory or insurance requirements, which results in stale content, minimal engagement, and a perception of training as mere 'checkbox compliance.'
"When SAT content is one-size-fits-all and delivered against an annual or quarterly schedule to check a box, it can feel like a chore that employees are apt to tune out -- and that opens the door to costly breaches," says Mike Britton, CIO of Abnormal AI. "Attackers' most vulnerable targets are people, not systems, and reducing avoidable user actions -- like clicking on a suspicious link -- needs to be front and center."
The time and effort required to run an effective SAT program is a major blocker preventing organizations from achieving success. 83 percent of respondents agree that their current SAT tools require substantial effort to operate and maintain, with more than half (53 percent) agreeing that the effort required to run them outweighs their impact.
That said, nearly all of the organizations surveyed (99 percent) are in favor of including AI in future SAT tools and workflows, and see the value in using AI to support various functions of their programs. This includes using AI to: automatically generate training campaigns and workflows (99 percent), automate the creation of training videos (95 percent), and automatically create individualized attack simulations based on individual user profiles (95 percent).
"To truly defend against human-centric threats, enterprises must evolve their SAT programs to be continuous, dynamic, contextual, and personalized," adds Britton. "For years, this kind of training was something security leaders might have wished for, but implementing it in the real world would have been far too labor-intensive. Now, with AI, security teams have the power to make the dream of highly effective security awareness training a reality."
You can get the full report from the Abnormal site.
Image credit: PantherMediaSeller/depositphotos.com