When it comes to cybersecurity awareness and training, we’re often faced with a great deal of indifference and disappointment with how security training and communications are created and distributed.
From our research on over 300,000 people, analyzing typical communication tools, we recorded CTRs and engagement data that, on average, didn't go over 5%, translating into over 9 out of 10 people literally knowing nothing about what is being communicated to them.
In fact, more than half of emails are totally ignored, meaning that not only is there no interaction whatsoever, but these emails are never ever read or opened at all. Finally, we found that the greater the number of recipients of a communication (DEM, email) the greater the percentage that’s ignored.
This data is also confirmed by recent research by Gartner, which shows that although 90% of companies implement cybersecurity awareness programs, 69% of employees bypass them completely.
“Security awareness programs are failing at behavior management. Over 90% of cybersecurity functions have an awareness program, yet 69% of employees admit to intentionally bypassing their enterprise's cybersecurity guidance”
(Gartner - Security Awareness Efforts Fall Short! Now What? (Survey Results Analysis – February 2023).
Faced with the risk of failure of cybersecurity awareness programs that are offered and held through the more traditional channels, today cybersecurity governance must use a different approach: reaching everyone in a personalized way. This is where the hows and whens of engagement become two key factors. If you get these right, communication and training will be truly effective.
Moreover, according to Gartner, a new paradigm for training is necessary in terms of how training is done: the creation of a cybersecurity engagement program requires new capabilities and incentives that go beyond the common (and ineffective) tactics of just training or awareness. These emerging capabilities include behavioral science, automation, data integration, tool and platform orchestration, and personalized engagement.
So, what are some suggestions to start implementing these topics right away? There are three aspects you can work on to start improving the impact and effectiveness of cyber training and communication:
1. Deliverability: messages shouldn't go unnoticed; they should attract attention in a lighthearted, fun and personalized way, reaching all employees. No one should be left out or on the sidelines when it comes to corporate communications;
2. Engagement: cybersecurity can become “cool”, surprising and engaging people by coming alongside them at the right time, in the right place, and initiating a circular relationship that’s no longer a unidirectional dynamic of training perceived as boring and distant from daily life;
3. Measurement: it’s no longer just an issue of single CTRs, but rather setting and evaluating goals to orchestrate channels, tools and timing in a broader dimension in which it's then possible to understand the actual impact of a message and decide how to generate positive collaterals.
Today, cybersecurity is a challenge that calls for new leadership in the role of CISO, especially regarding how to amplify and make exponential something that is still linear: i.e. reaching and engaging all people with the information they need most, in a personalized way, and then measuring the information’s effectiveness by accompanying people in new, experiential training plans that are contextual to their work.
What's the solution to unite these aspects and create an effective cybersecurity awareness, engagement and training strategy?
Thanks to our in-depth work of analysis, monitoring and investigation into the most popular habits and behaviors of people in relation to this specific need, we’ve identified and outlined a potential and interesting, solution: a phygital platform (SaaS and white label) that allows you to completely independently – in terms of content creation and style – reach any target in a way that’s “outside the box” (also inboxes and other repositories) with contextual and personalized messages that not only capture people’s attention but encourage them (through nudge tech) to take action, ushering in a circular and complete loop of engagement of people.
For example, do you want to encourage the use of OneDrive instead of other web-based file submission tools? Wouldn't it be nice if a message popped up on your employees’ screens that helps and directs them to use OneDrive just as they are about to use another method?
It’s not a daydream or a parallel world: it's much simpler, accessible and sustainable. With hi platform, cybersecurity communications and information reach people directly (without the need for any extra clicks or actions) at the right time and with an adoption rate (you don't actually have to open anything) and response rate to calls to action that stands at well over 50% (10 times the average!).
“I like it when innovation is social, not in the most common sense of the word, but understood as social (i.e., relationship) impact and by which it changes something, for the better, in people's (working) lives. For CISOs by finally making the spread of their security efforts exponential; for users by empowering them to take that extra step toward knowing and participating in a world of good things and a safer company.” – Francesco Pozzobon, Chief Sales & Marketing @Digital Attitude
2023 is going to be one of great expansion for the cybersecurity market. In fact, according to CLUSIT data, the market has grown 18% in the past year, at a pace never seen before.
This is undoubtedly due to increased awareness on the issue within large organizations, but also to the growth in increasingly serious cyber attacks, the number of which continues to rise exponentially. According to research by the Milan Polytechnic’s Cybersecurity & Data Protection Observatory, in the last year 67% of large Italian companies have experienced cyber attacks and 14% of these attacks have had major consequences on these companies’ businesses.
So how can action be taken? According to CLUSIT, there are three points around which companies should organize their roadmap:
- Cybersecurity line of defense: consolidating security governance within the company through the CISO.
- Professional support figures for the CISO: Dedicated specialists are also needed to oversee cybersecurity: from cyber risk managers to data protection managers, but also security analysts and security developers.
- New and improved cybersecurity training: there is a growing need for appropriate employee awareness and training initiatives.
The most important of these points is setting up training initiatives dedicated to training employees in cybersecurity. In fact, CLUSIT’s research shows that cyber attacks that had tangible consequences were caused with social engineering techniques, which are based on psychology and persuading people. It therefore becomes key to train employees in a targeted, direct and concrete way on cybersecurity by working on the weak link i.e., human behavior.
“Training is now an indispensable element in a good cybersecurity strategy. However, the effectiveness of training depends on the ability to focus on the direct and concrete impact that each of the employees, in their different roles in the company, could experience in their daily activities.” (Milan Polytechnic’s Cybersecurity & Data Protection Observatory - February 2023
However, to reap the benefits, training in this field must be effective and calibrated based on people’s daily activities: from passwords to online file sharing. Since the human factor is what the most common attack techniques break through, people in organizations must be ready and trained to react on a day-to-day basis.
