by hse | Jun 3, 2024 | Security information
About Hornetsecurity Security Awareness Survey
Security awareness training is an essential defense mechanism for organizations against a plethora of evolving cyber threats. It involves educating employees about various cybersecurity practices, identifying potential risks, and teaching the appropriate actions to mitigate such threats. At Hornetsecurity, we recognize the paramount importance of security awareness training in safeguarding against these threats. As digital defenders, we understand that continuous education and awareness are essential for any organization striving to protect its assets and information. In our commitment to bolstering security knowledge, we have extensively covered various facets of cybersecurity in our Knowledge Base. However, the effectiveness of security awareness training remains a critical area that demands deeper exploration. To assess the current effectiveness of security awareness training, we conducted an extensive survey targeting a diverse group of IT professionals across industries. Our objective was to gauge their understanding of security training protocols, the implementation of these practices within their organizations, and the overall impact on cybersecurity posture. We distributed the survey globally, garnering over 150 responses that provide a comprehensive view of how organizations are navigating the challenges and opportunities presented by security training. Below, you will find a detailed analysis of our findings, highlighting the key insights and trends that emerged from the survey. For those interested in a more granular view, the complete survey results are available for further review. Let’s delve into the data and discover what it tells us about the state of security awareness training today.
1 in 4 (25.7%) Organizations Do Not Provide I.T. Security Awareness Training to Its End-Users
One of the more notable revelations from our survey on security awareness training is that approximately one in four organizations (25.7%) do not provide IT security awareness training to their end-users. This significant oversight in cybersecurity education highlights a critical vulnerability within the corporate world, particularly in smaller companies. Our survey data indicates a clear trend related to company size and the likelihood of providing such training. While larger organizations seem to recognize and act on the necessity of educating their workforce on cybersecurity threats, smaller companies lag notably behind. Specifically, among businesses with 1 to 50 employees, nearly 30% do not offer any form of IT security awareness training. This percentage slightly improves as company size increases, with 32.4% of companies with 51 to 200 employees also neglecting this training. The trend shows a slight improvement in mid-sized companies with 201 to 500 employees, where only 21.4% do not provide security training. It is in larger enterprises, particularly those with 501 to 999 employees, where security awareness training is most consistent, with every surveyed company in this bracket providing training. Amongst the largest companies surveyed, those with over 1,000 employees, nearly 95% offer security training, with only a small fraction (5.9%) not doing so. The disparity in training availability raises significant concerns about the vulnerability of smaller organizations to cyber threats. Without the foundational knowledge provided by security awareness training, employees in these smaller companies are potentially at greater risk of falling prey to cyberattacks, thereby jeopardizing both their personal and organizational data. This gap underscores the critical need for all organizations, especially organizations with 51 to 200 and 201 to 500 employees, to invest in comprehensive security awareness programs that empower every employee with the knowledge and tools necessary to defend against cyber threats.
Only 7.5% of Organizations Provide Training That Is Adaptive and Based on Regular Security Awareness Tests Results
When asked “How often do users within your organization participate in IT security awareness training?”, only 7.5% of organizations reported that their training programs are adaptive and based on regular security awareness test results. This low percentage suggests that adaptive training, which can dynamically adjust to the evolving cybersecurity landscape and the specific needs of an organization, is not widely implemented. Despite the proven benefits of adaptive learning environments, which can significantly enhance engagement and retention of knowledge, the majority of organizations still rely on more traditional, less flexible training schedules. Our survey reveals that a monthly training schedule is maintained by 29% of organizations, while 22.4% conduct training just once a year. These findings suggest a potential gap in the continuous education necessary to effectively combat the rapidly changing threat environment. Furthermore, the effectiveness of existing training programs is called into question by the participants themselves. Approximately three in ten respondents describe their company-provided IT security awareness training as only ‘slightly engaging’ or ‘not engaging at all’. This lack of engagement is critical, as it directly impacts the effectiveness of the training provided. Additionally, around a quarter of respondents expressed concerns that their current cybersecurity awareness training is not frequent enough (27.1%) and not engaging enough (23.4%). Adding to these challenges, 22.4% of respondents indicated that users do not have enough time to complete the security training, highlighting a significant barrier to fostering a well-informed and proactive security culture within organizations. Yet, almost all (96%) agree that the time invested in administering and completing these training sessions is worthwhile, emphasizing the recognized value of educated personnel in mitigating cybersecurity risks. Interestingly, when considering improvements, 53.3% of end users requested more post-training resources, indicating a desire for ongoing support beyond initial training sessions. Other areas for enhancement included making the content more engaging (40%) and increasing the frequency (35%) and clarity (30%) of the training content. These insights underscore a critical need for organizations to rethink their approach to IT security training, focusing on making it more adaptive, engaging, and frequent to better prepare their workforce to face modern cyber threats effectively.
78.5% (Or 4 in 5) of Organizations Find It Security Awareness Training to Be at Least ‘Moderately’ Effective in Combating Cyber Threats
A significant finding from our survey is that a vast majority, specifically 78.5%, of organizations regard their IT Security Awareness Training as at least ‘moderately’ effective in combating cyber threats. This indicates that four out of five companies have confidence in their training programs’ ability to equip employees with the necessary skills and knowledge to recognize and defend against cyber incidents. This level of effectiveness underscores the critical role that comprehensive security awareness training plays within an organization’s cybersecurity strategy. It highlights that, when implemented properly, such training can significantly bolster an organization’s defenses by making each employee a vigilant participant in the detection and prevention of cyber threats. The recognition of training effectiveness is crucial, especially in a landscape where cyber threats are becoming more sophisticated and frequent. Organizations that perceive their training as effective are likely to continue investing in these programs, potentially increasing their robustness and adaptability to new threats. Furthermore, this positive perception of training effectiveness is likely to encourage ongoing commitment to cybersecurity education across all levels of the organization, fostering a culture that prioritizes and values strong cyber hygiene practices. Such a culture not only enhances the immediate security posture of the company but also builds a resilient framework against future security challenges.
1 in 4 Respondents Said That Their Company Has Experienced a Cybersecurity Breach or Incident.
Alarmingly, one in four respondents disclosed that their company has experienced a cybersecurity breach or incident, highlighting a significant vulnerability within many organizations. More concerning is the timeline of these breaches: half of these incidents occurred within the last three years, and 22.5% took place in just the past year alone. This data points to a troubling trend of increasing cyber incidents, emphasizing the urgency for robust and up-to-date security measures. The frequency of these breaches underscores the continuous evolution of cyber threats and the critical need for organizations to enhance their cybersecurity protocols continually. It also reinforces the importance of effective IT Security Awareness Training to equip employees with the knowledge and tools needed to protect their organizations against these growing threats.
4 in 5 (78.5%) Organizations Believe I.T. Security Awareness Training Has Directly Prevented Their Organization From Experiencing a Cybersecurity Incident
A compelling 78.5% of organizations believe that IT security awareness training has directly prevented them from experiencing a cybersecurity incident. This high percentage demonstrates the training’s effectiveness not only as an educational tool but as a crucial preventive measure in protecting organizational assets and information. Furthermore, an overwhelming 91.6% of respondents agree that such training has equipped their end-users with the skills to spot security threats across various mediums, not just email. This broad applicability is vital in today’s diverse digital landscape, where threats can emerge from multiple sources, including social media, mobile apps, and web browsing. These findings underscore the significant return on investment that IT security awareness training offers. By empowering employees to identify and respond to threats proactively, organizations enhance their overall security posture and reduce the likelihood of disruptive cyber incidents.
4 in 10 (39.3%) Feel That I.T. Security Awareness Training Used in Their Organization Is Not Up-To-Date
A significant portion of the workforce, specifically 39.3%, feels that the IT security awareness training provided by their organizations is not up-to-date, particularly concerning the capabilities needed to combat AI-powered cyber attacks. This concern is even more pronounced among those in IT decision-making roles, with 45% echoing this sentiment. These statistics reveal a critical gap in current cybersecurity education programs, which may not yet fully address the sophisticated nature of modern AI-driven threats. As cybercriminals increasingly employ advanced technologies, including artificial intelligence, to execute more complex attacks, it becomes imperative for security training to evolve accordingly. This data calls for an urgent review and update of training curricula to incorporate the latest knowledge and defense strategies against AI-enhanced threats, ensuring that all employees are equipped not only with general cybersecurity awareness but also with specific insights into emerging technological vulnerabilities.
Over Half (52.3%) of Respondents Said That ‘Users Prefer to Ignore or Delete’ Identified Email Threats Without Reporting Them’
Our survey highlights a troubling trend: over half of the respondents (52.3%) reported that users tend to ignore or delete identified email threats without properly reporting them. This behavior underscores a significant gap in threat management protocols where the initial detection does not translate into informative action for IT security teams. Additionally, a considerable 38.3% of respondents indicated that users often do not remember the security training they receive. This points to potential shortcomings in the engagement and retention strategies of the training programs. The lack of memorable and impactful training content could be leading to these lapses in proper threat response and reporting practices. These findings suggest a need for organizations to enhance their cybersecurity training methods, perhaps by incorporating more engaging, repetitive, and interactive content that reinforces the importance of reporting threats and ensures longer retention of crucial security practices.
3 in 10 (28%) Respondents Said That Not Receiving Feedback on the Threats They Report Contributes to End-Users Not Following Training Protocols
A notable concern raised by our survey is that 28% of respondents believe the lack of feedback on reported threats discourages end-users from adhering to training protocols. This highlights a critical oversight in many organizations’ cybersecurity response strategies. When users report potential security threats but receive no acknowledgment or feedback, it can create a sense of indifference towards the importance of their actions. Without understanding the outcomes of their reports, users may feel that their efforts are unnoticed or unappreciated, leading to a decrease in proactive security behaviors. This feedback gap underscores the need for organizations to establish robust communication channels that not only encourage reporting of security threats but also close the loop by providing timely and constructive feedback. By reinforcing the value of each report, organizations can enhance compliance with security protocols and foster a more security-conscious culture.
Just Over Half of Respondents (56.2%) Said Their Organization Uses Cyber-Insurance
According to our survey, a slight majority of respondents, 56.2%, indicated that their organizations have adopted cyber-insurance. This reflects a growing recognition of the risks associated with cyber threats and the complex nature of defending against them. Cyber-insurance serves as a safety net, providing financial protection against losses from cyber incidents such as data breaches, business interruption, and network damage. The fact that just over half of the organizations surveyed are investing in this kind of insurance highlights its perceived value in the modern business landscape, where digital threats are increasingly common. However, the adoption rate also suggests that nearly half of the organizations might still be underestimating the potential financial impacts of cyber threats, or perhaps they rely more heavily on preventive measures like security training and technical defenses. This statistic could spur further discussion about the balance between investing in proactive security measures versus insuring against potential outcomes.
3 in 4 (77.1%) Respondents Say Their Organization Has a Process in Place to Deal with Phishing Emails or I.T. Security Threats
Our survey reveals that a robust 77.1% of respondents confirm their organization has established processes in place to effectively handle phishing emails and other IT security threats. This significant majority indicates a strong awareness and proactive stance in combating cyber threats at an organizational level, showcasing that most companies are taking the necessary steps to prepare and respond to these common security challenges. However, there remains a notable portion of the workforce that is either unaware of or lacks these critical protocols. Specifically, 12.5% of respondents indicated that their organization does not have a defined process for dealing with such threats, and 10.4% are unsure if such a process exists. This lack of clarity or absence of procedures not only exposes these organizations to greater risk but also highlights an area for immediate improvement. It underscores the need for clear communication and training regarding the existence and execution of threat response processes to ensure that all employees are prepared and can act effectively in the face of potential cyber incidents.
1 in 5 (21.5%) Find I.T. Security Awareness Training ‘Slightly Effective’ or ‘Not Effective at All’
Despite the general positivity towards IT security awareness training, our survey indicates that not all feedback is favorable. Approximately one in five respondents, or 21.5%, rate their organization’s training as ‘slightly effective’ or ‘not effective at all’. This significant minority points to potential shortcomings in the current training methodologies being implemented across various industries. This feedback suggests that while training may be widespread, its execution and the quality of its content might not meet the necessary standards to fully equip employees against cyber threats. The perception of ineffectiveness could stem from outdated materials, lack of engagement, or training not being comprehensive enough to cover newer types of cyber threats, including those powered by sophisticated technologies such as AI. Addressing these concerns is crucial for improving the overall impact of security training programs. Enhancing engagement, updating content regularly, and tailoring training sessions to the specific needs and risks of the organization may help increase the perceived effectiveness and ensure that all employees are well-prepared to defend their digital environments.
Just Over 1 in 3 (35.9%) of Respondents Describe the I.T. Security Policies Within Their Organization as ‘Not Enough’
The findings from our survey reveal mixed opinions regarding the adequacy of IT security policies within organizations. Just over one-third of respondents, 35.9%, feel that the cybersecurity policies in place are ‘not enough’ to effectively safeguard their organization against current threats. This significant portion of the workforce expressing concerns suggests a need for reassessment and potential enhancement of these policies to address evolving cyber threats more effectively. Conversely, a more optimistic 45.3% of respondents believe that their organization’s IT security policies are ‘appropriate’, indicating that these policies meet the necessary standards to protect against potential cyber incidents adequately. This perspective highlights that while many organizations are on the right track, there is still a notable gap that needs addressing to ensure universal confidence in cybersecurity measures. These contrasting views underscore the importance of continuous evaluation and adaptation of security policies to align with the latest cybersecurity developments and threat landscapes. Strengthening these policies could not only address the concerns of those who feel underprotected but also enhance the overall security framework of organizations.
Profile of Our Security Awareness Training Survey Respondents
Our comprehensive survey on IT security awareness training drew responses from a diverse group of IT professionals, reflecting a wide range of roles, experience levels, and organizational sizes across various global regions.
Roles and Responsibilities
The majority of our respondents are deeply embedded in the IT sector, with 32.6% identifying as IT Professionals and 16% as System Administrators. Managed Service Providers (MSPs) constitute 13.2% of the participants, highlighting the involvement of external IT service firms in cybersecurity practices. Additionally, 10.4% hold other IT-related roles, while 9% have no control over IT operations. Notably, leadership positions such as CIO, CTO, and CISO are represented by 6.2% of the respondents, providing insights from the highest levels of IT strategy and governance.
Experience in the Field
Experience among participants varies widely, with 36.1% having between 1 and 5 years of experience, indicative of a young, evolving workforce in the IT field. Both the 21+ years and 6-10 years categories are represented by 19.4%, showing a significant contribution from highly experienced professionals. Those with 11 to 15 years and 16 to 20 years of experience make up 14.6% and 10.4%, respectively.
Organization Size
The survey predominantly features respondents from smaller organizations, with 51.4% coming from businesses with 1-50 employees. Medium-sized businesses with 51-200 employees make up 23.6%, followed by 9.7% from organizations housing 201 to 500 employees. Larger organizations are less represented, with 3.5% having 501-999 employees and 11.8% exceeding 1000 employees.
Geographical Distribution
Geographically, the majority of responses come from Europe (50%) and North America (42.4%), providing a strong representation of IT security perspectives from these regions. Asia, Australia, and Africa are also represented, albeit to a lesser extent, with 2.1%, 1.4%, and 0.7% of the responses, respectively.
