Urgent training gap exposed

A quarter of organisations unprepared for cyber-attacks.

  • Sunday, 9th June 2024 Posted 6 months ago in by Phil Alsop

A new survey by cybersecurity provider Hornetsecurity has uncovered significant gaps in IT security training, with a quarter (26%) of organisations still providing no form of training to their end-users. The company issued the survey results at Infosecurity Europe 2024, where it is exhibiting at stand E60.

The survey, which compiled feedback from industry professionals around the world, also reveals that fewer than 1 in 13 (8%) of organisations offer adaptive training that evolves based on the results of regular security tests. In a rapidly evolving cybersecurity landscape, where malicious threat actors are constantly devising new ways to infiltrate and harm, this is a significant business concern.

Engagement and Effectiveness in Training

People represent the frontline of every company’s cybersecurity strategy. The most popular type of cyber-attack is phishing, which preys on a person’s trust. Employees must therefore be equipped with the skills, understanding and confidence to spot malicious behaviours. Sadly, Hornetsecurity’s survey revealed that not only is there a significant gap in training, but training initiatives are seen to be ineffective. Nearly a third (31%) of respondents reported that their training was unengaging or only slightly engaging.

Despite the low engagement levels, 79% of organisations believe their IT security awareness training to be at least moderately effective in combating cyber threats. However, nearly four in ten (39%) reported that the training does not cover recent or AI-powered cyber threats adequately. In a world where AI is expediting and increasing the scale of attacks, this is alarming.

Daniel Blank, COO of Hornetsecurity, says, “Our latest research shows a clear disconnect between the perceived effectiveness of security training and its actual relevance and responsiveness to modern cyber threats, especially the recent boom in AI-driven attacks. Employees must be equipped with ongoing training to bolster any technical defences and serve as a human firewall. The ongoing aspect is essential for the training to have the most impact. It’s important to invest in the latest cybersecurity technology, but a sustainable security culture means investing in people as well.”

Post-incident adaptations and reporting gaps

The survey found that one in four organisations had suffered a cybersecurity breach or incident - 23% of which had occurred in the last year. Notably, 94% of these organisations took steps to strengthen their security by implementing additional controls post-incident. Yet, despite these efforts, 52% of respondents noted that end-users often ignore or delete identified email threats without reporting them, and 38% forget the training content, showing the need for ongoing and engaging training enhancements.

The survey highlighted that people are particularly interested in more effective post-training resources, which could help in retaining and applying the learned security measures. Another area for improvement is feedback on reported threats, with 28% stating the lack of feedback as a reason for not adhering to training protocols.

The need for updated training

A significant 45% of decision-makers in IT believe their current training programmes are outdated and ineffective against AI-powered attacks. This sentiment is echoed by 39% of general respondents, showing a critical need for training content that is both current and comprehensive.

Daniel Blank adds, “It’s imperative that organisations not only provide regular, engaging, and adaptive training but also ensure that these programmes thoroughly address the latest and most sophisticated cyber threats. This is why we developed Hornetsecurity Security Awareness Service, a next-gen solution that delivers the right amount of training customised per employee in an automated way. That way, organisations can provide the right level of ongoing training without draining IT resources to set this up and deliver it.”

He stressed: “Proactivity is key: instead of strengthening after incidents, organisations should pre-empt attacks and have robust systems and processes in place. Doing so saves significant time, effort and cost.”

Cyber insurance and preventative measures

Over half of the surveyed organisations (56%) now use cyber-insurance, indicating a growing reliance on financial safeguards against cyber incidents. Additionally, 79% of organisations attribute the prevention of cybersecurity incidents directly to their IT security training programmes, while 92% acknowledge that the training has enabled end-users to spot security threats across various media, not just email.

Beacon, NY, Dec 20, 2024– DocuWare unveils its AI-powered Intelligent Document Processing (DocuWare IDP), bringing about unprecedented improvements...
85% of IT decision makers surveyed reported progress in their companies’ 2024 AI strategy, with 47% saying they have already achieved positive ROI.

MSPs will invest in more AI security forecasting

Posted 5 days ago by Phil Alsop
Predictive maintenance and forecasting for security and failures will be a growing area for MSPs with an interest in security, says Nicole Reineke,...

Machine identities next big target for cyberattacks

Posted 6 days ago by Phil Alsop
Venafi has published the findings of its latest research report: The Impact of Machine Identities on the State of Cloud Native Security in 2024....
Nearly 50% of organisations have experienced a security breach in the last two years.

IT professionals recognise lack of gender diversity

Posted 6 days ago by Phil Alsop
The majority (87 percent) of IT professionals agree that there is a lack of gender diversity in the sector, yet less than half (41 percent) of...

A moving landscape for MSPs

Posted 1 week ago by Phil Alsop
2025 predictions from Ranjan Singh, chief product officer at Kaseya.

Data breach epidemic takes its toll

Posted 1 week ago by Phil Alsop
New study by Splunk shows that a significant number of UK CISOs are stressed, tired, and aren’t getting adequate time to relax.