Since the widespread adoption of remote work, digital security is increasingly recognized as the responsibility of every employee. This in turn has led to a significant rise in security awareness training. On average, businesses are spending roughly £130 per employee on security awareness every year, according to a study by Osterman Research.
However, is training worth the cost? Is training alone enough to truly protect your organization?
Why security awareness training doesn’t cover all bases
As revealed in our Freedom to Focus report, of the 67% of employees who have received security training in the past two years, over half (31%) state they have not used their learnings in their core role.
While training is helpful for raising awareness of inbound security threats, such as phishing and malware, it does little to address the leading cause of data leaks: human error. This includes sending information to the wrong person, using cc instead of Bcc in email, accidentally sharing an attachment, or failing to recall an email.
Training cannot counter the wider security issues of our digital communications platforms. In our hybrid working environment, we are relying on email more than ever. In fact, we found that 88% of employees rely on email to get the job done, and 81% consider email to be the most secure way of sending sensitive information.
However, email was never designed to be secure. This means it doesn’t provide the required levels of encryption and functionality to protect digital communications in transit or ensure compliance with data protection laws. Progressive IT leaders are realising that, with the application of smart technology, employees are empowered to protect their sensitive emails.
In short, training can only do so much. Technology must pick up where awareness leaves off.
Security awareness training can be counterproductive
In some cases, training might even make matters worse by pressuring employees to effectively take on two roles: their official position, as well as that of data protector.
Busy employees state that intrusive protocols and processes are leading to increased stress and frustration:
- 50% say current security methods slow them down
- 47% say they feel more frustrated by network security measures when working from home
- 39% say IT teams are so paranoid about threats that it hampers them from doing their job
The “security culture” that training courses tend to advocate can turn data security into a finger-pointing exercise, where every potential slip-up is framed around who’s to blame. This makes the working environment less enjoyable and, often, less secure — when employees feel targeted and vilified they are less likely to admit to errors.
In addition, we see many organizations increasingly treating security training as a box-ticking compliance exercise, failing to benefit employees in their day-to-day role.
How to make training work for employees
Our hybrid working world calls for a more sophisticated and holistic approach to data security.
In fact, 83% of IT leaders say progressive security strategies empower employees with smart technology rather than burdening them with protocols, processes and policies. 87% say it would be beneficial if there were a solution that protected people from email security errors.
In other words, security training programs are worth the cost, but only when additional measures are taken to address human error and effectively support employees to act securely effortlessly.
This is why a rising number of IT leaders are empowering employees with tools to avoid data leaks and putting mechanisms in place to identify and fix mistakes before they happen.
3rd generation email security goes above and beyond traditional security methods to meet the needs of modern businesses with smart, machine learning powered functionality and advanced encryption.
Click here to learn more. You can also download our Freedom to Focus report, which reveals the impact of email security in the workplace.