Report: Human error creates cybersecurity threats, but 25% of employers fail to train

Dive Brief:

A quarter of employers do not understand the most common cybersecurity threats against their organizations, according to a new study by Mimecast of 1,000 employees who use employer-issued devices. About the same number of companies provide no training whatsoever.
Only 45% of businesses put their employees through mandatory, formal cybersecurity training. Just 6% provide monthly training and 4% do so every quarter. Nine percent of respondents said they went through formal training when they started their job. A third of companies said they distribute a list of cybersecurity tips and reminders as training; 30% said they issued guidelines around safe and unsafe links and 28% sent out interactive videos teaching best practices.
More than two-thirds of employees said they use a company-issued device for non-work-related activities like reading the news, checking personal email and browsing social media. Almost 30% of employees use a company device for personal reasons for at least an hour each day, while one in 10 employees do so for more than four hours daily.

Dive Insight:

A lapse in cybersecurity can mean big problems for employers, but it seems many organizations haven't set up preventative measures to ward off potential breaches. Almost 40% of companies' data breaches start internally, according to a Harvard Business Review report. A more recent report from Willis Towers Watson estimated that 66% of cyber breaches result from employee negligence or malfeasance. Recall, for example, the 2017 mess up in London, when someone found on the street a USB drive carrying Heathrow Airport security data, including Queen Elizabeth II's route to the airport.

"Everyone knows human error is a problem, but the number of breaches and the gravity of breaches continues to go up," Michael Madon, general manager of security awareness products at Mimecast, told HR Dive in an interview. "And that's because they're not addressing the core problem of human error."

But eliminating human error doesn't make for perfect cyber security forevermore. "There's no one magic pill to fix the cybersecurity problem," Madon said. "To me, it's about having an effective program with the goal of reducing risk and creating a resilient organization. It's a holistic approach." To ensure cybersecurity on all fronts, Madon said employers need to have programs in place to protect email, to defend against malicious web addresses and to allow for safe and secure information storage.

And, of course, employers need to address human error through training. Some employers have already been on the move in this respect. Thirty-five percent of CISOs said employee training should top financial organizations' to-do lists, according to the Financial Services Information Sharing and Analysis Center's 2018 CISO Cybersecurity Trends survey. An effective training regime would "change the way someone thinks about security, from compliance to commitment," Madon said. "If you're going to use modern learning methods, in order to have an effective learning program, it needs to be engaging, it needs to be short, but it also needs to be continuous."

Madon isn't unique in this theory. Tom Pendergast, chief learning officer at MediaPRO, likens a good training program to a set of convincing commercials. "A great security awareness initiative should look like a great advertising campaign," said Pendergast. "[T]hink of it as influencing consumer behavior."