Security awareness training is not enough to stop breaches

by · BetaNews

New research shows companies are pouring an increasing number of resources into their security awareness and training programs, with 96 percent of respondents allocating it between five percent to 20 percent of their security budgets.

But the research from CultureAI, based on a survey by Opinion Matters of 200 UK-based cyber security teams at organizations with over 1000 employees, finds that while 78 percent train employees at least monthly human-related breaches are still happening at an alarming rate.

Surveyed organizations say the leading motivation for delivering training is to change behaviors and equip employees to handle risks (51 percent), followed by compliance (25 percent) and breach prevention (24 percent). But regardless of the objective behind the training, 79 percent of surveyed organizations have suffered a cyber breach due to human error in the last 12 months, with 34 percent experiencing multiple breaches.

The survey suggests the beginnings of a shift from awareness training to human risk management (HRM), 63 percent of respondents currently spend between five and 10 percent of their security budget on training with another 33 percent reporting that they spend 11 to 20 percent. This is more than anticipated, as in 2023 Gartner reported 60 percent of teams spending five percent or less on awareness activities, including people, processes and technology.

Although 94 percent of surveyed organizations report using at least one HRM capability, there is still room for growth, as only 22 percent of respondents are using three or more different capabilities.

Looking at respondents who reported no data breaches, the research finds a preference for more technical HRM capabilities. The most popular choices being human risk triage (45 percent), coaching based on risk levels (37 percent), nudges triggered by risks (37 percent), and automated interventions (32 percent).

John Scott, lead security researcher at CultureAI, says:

Human error is inevitable, but it's not a moral failing. We all make mistakes. Unfortunately, these mistakes can be catastrophic for organizations. It's a challenge that every business must grapple with, and the research serves to demonstrate the prevalence of human-related breaches, even as companies invest more time and resources into security awareness and training programs.

Training can go some way to address gaps in knowledge, but cyber criminals exploit gaps in attention and perception to achieve their goals. Effective use of technical interventions and nudges can help close those gaps. But human risk management isn't just a shift in technology, it's a complete change of mindset, and one that is desperately needed. Enabling companies to adapt to the new normal.

You can get the full report from the Culture AI site.

Image credit: Morganka/Dreamstime.com