A recent report by ThinkCyber, based on a survey conducted at Infosecurity Europe 2024, reveals that half of employees are hesitant to report security mistakes within their organization due to fears of facing repercussions. The survey also found that only 51% of respondents believed that most people in their business were focused on security, with 39% feeling that only executives and security teams were prioritizing this area.

The report shed light on the concerns of cybersecurity professionals regarding employee behaviors that pose security risks. The top three behaviors that were most concerning included clicking on malicious links in phishing emails, sharing corporate data outside of the business, and sharing usernames and passwords.

One of the key findings from the report highlighted the doubts cybersecurity professionals have about the effectiveness of security awareness training in changing employee behaviors. A quarter of respondents expressed skepticism about whether their colleagues actually change their behavior as a result of current training programs. Additionally, 42% admitted that their organizations are unable to prove whether the training is making a difference in addressing risky behaviors.

Furthermore, almost half of the respondents (49%) noted that their organizations lack a mechanism for identifying specific user groups engaging in risky behaviors. The frequency of training sessions was also a concern, with 60% stating that training is only provided every few months or once a year.

To improve the effectiveness of security awareness training, ThinkCyber emphasized the importance of targeted and contextualized training tailored to individual employees. Tim Ward, CEO at ThinkCyber, emphasized the significance of intervening at the moment when a risky action is about to occur, as this helps employees understand the specific dangers and consequences associated with their actions in a practical context.

CultureAI also advocated for targeted interventions to change security behaviors and highlighted the emerging field of human risk management (HRM) to address these challenges. Ward suggested that organizations should focus on measuring the behavioral impact of training programs and identifying user groups that may require additional assistance.

The survey also revealed the preference for shorter and more frequent training sessions among respondents, with over two-thirds (70%) expressing a desire to keep their knowledge up to date through regular, bite-sized training segments.

In conclusion, the report underscores the need for organizations to rethink their approach to security awareness training by focusing on personalized, timely interventions and measuring the impact of these programs on employee behaviors. By addressing these areas, businesses can better equip their employees to mitigate security risks and strengthen their overall cybersecurity posture.

Lidhja e burimit