nVisium released the findings of their recent research which explores the current state of cybersecurity awareness and security training initiatives within today’s remote workforce. The research reveals that only 35% of respondents classify security awareness training as a ‘top priority’ while working remotely, and nearly half say that their DevOps teams are not experts in understanding how to protect at home wireless networks.
Approximately 250 responses were analyzed and the results revealed that many organizations do not fully comprehend the critical need for implementing continuous security training initiatives, particularly during a time where corporate network attack surfaces are increasing and being exposed to millions of new endpoints. As remote working continues in prominence, IT teams must also have the skills and ability to implement the appropriate security measures to support this. However, nVisium’s research reveals that only 18% of respondents deliver company-wide standard monthly reports on the latest security breaches and exploits, while a startling 40% say that their organization’s developers are not experts in cybersecurity.
Steve Durbin, managing director of the Information Security Forum, notes, “The best security policies are under constant review and take into account ongoing feedback. Archaic policies are quickly retired. Success lies in explaining how a policy can benefit both the enterprise and the individual. Awareness programs that fail to do this are destined to end badly. In this age of hybrid working, employers need to re-assess security risks at the personal access level and keep the following areas under constant review:
- Mobile devices
- Internet connected devices
- Cloud access and storage
- Third party providers
Durbin adds, "By helping staff understand how vulnerabilities can lead to poor decision making and errors, organizations can better manage security risks. To make this happen, a fresh approach to information security is required which goes far beyond simple policies. A human-centred approach to security can help organizations to significantly reduce the influence of cognitive biases that cause errors. By discovering the cognitive biases, behavioral triggers and attack techniques that are most common, tailored psychological training can be introduced into an organization’s security awareness campaigns. Technology, controls and data can be calibrated to account for human behavior, while enhancement of the working environment can reduce stress and pressure.”
Some other key findings from nVisium’s research include:
- Nearly 60% of respondents say that their organization’s cybersecurity training investment costs have either decreased or stayed the same since the start of remote working.
- Less than 30% of respondents say that integrating security tools and processes throughout the DevOps pipeline is a top priority.
“Our research highlights and proves the current gaps in security training initiatives, which exist across organizations globally,” said Jack Mannino, CEO at nVisium. “To be truly successful at security, organizations must implement training programs that focus on building the skills needed to secure the full development lifecycle and keep pace with emerging trends and best practices. Achieving optimum security is a continuous journey, not a destination.”
Lisa Plaggemier, Chief Strategy Officer at MediaPro, says, “Most vendors offer courses on working securely away from the office, and many have updated their training content to specifically address the working from home challenges of COVID-19. However, training is just one piece. To raise awareness, use articles in the company newsletter, infographics, and messaging on company social channels," Plaggemier says. "Also, be mindful of the tone of your communications. With the pandemic, we’re all in an incredibly stressful situation, and many employees are working more hours than ever before. They’ve proven incredibly resourceful at getting their jobs done in the face of numerous personal and business obstacles. So when providing employees security advice, be positive. Be informative, not dictatorial. Provide advice on what they can do to protect themselves and the organization, not just a list of what not to do.”