26% of organizations lack any form of IT security training
26% of organizations don’t provide IT security training to end-users, according to Hornetsecurity.
The Hornetsecurity survey, which compiled feedback from industry professionals worldwide, also reveals that 8% of organizations offer adaptive training that evolves based on the results of regular security tests.
People represent the frontline of every company’s cybersecurity strategy. The most popular type of cyberattack is phishing, which preys on a person’s trust. Employees must, therefore, be equipped with the skills, understanding, and confidence to spot malicious behaviors.
Sadly, Hornetsecurity’s survey revealed that there is a significant gap in training, and training initiatives are ineffective. 31% of respondents reported that their training was unengaging or only slightly engaging.
Organizations see value in IT security training
Despite the low engagement levels, 79% of organizations believe their IT security awareness training to be at least moderately effective in combating cyber threats. However, 39% reported that the training does not cover recent or AI-powered cyber threats adequately. This is alarming in a world where AI is expediting and increasing the scale of attacks.
“Our latest research shows a clear disconnect between the perceived effectiveness of security training and its relevance and responsiveness to modern cyber threats, especially the recent boom in AI-driven attacks. Employees must be equipped with ongoing training to bolster any technical defences and serve as a human firewall. The ongoing aspect is essential for the training to have the most impact. It’s important to invest in the latest cybersecurity technology, but a sustainable security culture means investing in people as well,” said Daniel Blank, COO of Hornetsecurity.
The survey found that one in four organizations had suffered a cybersecurity breach or incident – 23% of which had occurred in the last year. Notably, 94% of these organizations strengthened their security by implementing additional controls post-incident.
Yet, despite these efforts, 52% of respondents noted that end-users often ignore or delete identified email threats without reporting them, and 38% forget the training content, showing the need for ongoing and engaging training enhancements.
The need for updated training
The survey highlighted that people are particularly interested in more effective post-training resources, which could help retain and apply the learned security measures. Another area for improvement is feedback on reported threats, with 28% stating the lack of feedback as a reason for not adhering to training protocols.
A significant 45% of decision-makers in IT believe their current training programs are outdated and ineffective against AI-powered attacks. This sentiment is echoed by 39% of general respondents, showing a critical need for training content that is both current and comprehensive.
Daniel Blank adds, “It’s imperative that organizations not only provide regular, engaging, and adaptive training but also ensure that these programmes thoroughly address the latest and most sophisticated cyber threats.”
He stressed: “Proactivity is key: instead of strengthening after incidents, organizations should pre-empt attacks and have robust systems and processes in place. Doing so saves significant time, effort and cost.”
56% of the surveyed organizations now use cyber-insurance, indicating a growing reliance on financial safeguards against cyber incidents. Additionally, 79% of organizations attribute the prevention of cybersecurity incidents directly to their IT security training programmes, while 92% acknowledge that the training has enabled end-users to spot security threats across various media, not just email.
Fill out the form to get your eBook: