Half of employees fear repercussions from their organisation if they report a security breach, according to a report by ThinkCyber, based on a survey conducted at Infosecurity Europe 2024.
Only 51% of respondents said they believed most people in their company were focused on security, and 39% said they felt only executives and security teams were focused on this area.
The employee behaviors that cyber professionals are most concerned about include:
- Clicking on malicious links in phishing emails (53%)
- Sharing corporate data outside the company (53%)
- Sharing usernames and passwords (51%)
Cyber awareness training does not work effectively
The report also highlighted significant concerns among cybersecurity professionals about the impact of security awareness training on changing employee behavior.
A quarter of respondents said they doubted their colleagues would change their behavior as a result of current security awareness training, while 42% admitted their organization cannot demonstrate even to some extent whether their current security awareness training is changing risky behaviors.
Around half (49%) also said their company does not have a mechanism to identify groups of users who engage in risky behaviour.
Additionally, nearly two-thirds (60%) said that training is only provided every few months or even just once a year.
Read here: How to change security behaviors beyond awareness training
How to improve security awareness training
ThinkCyber highlighted the importance of targeted and contextualized training, ensuring it is relevant to each employee.
Tim Ward, CEO of ThinkCyber, commented: “By intervening at the precise moment when a risky action is about to be taken, people are more likely to understand the specific dangers and consequences associated with their actions. This timely intervention ensures that the lesson is not abstract or theoretical, but grounded in a real-world context, making it more impactful.”
CultureAI also advocates the use of targeted interventions to change safety behaviors and highlighted the emerging field of human risk management (HRM). Security of the information.
Ward added that organizations need to find ways to measure the behavioral impact of training programs, which can also identify which user groups require additional help.
Another finding from the survey was the need for organizations to offer shorter but more regular training segments. More than two-thirds (70%) of respondents said they want to keep their knowledge up to date and that doing it little and often works for them.