The one thing which most organizations have the most control over when it comes to cybersecurity components is also the one section of cybersecurity that they perform very poorly at. We are talking about people’s behavior.
News of this comes from the sixth annual survey of business adoption of security awareness principles, conducted by the SANS Institute.
The report was released on Wednesday under the title ‘2021 Security Awareness Report’ and was conducted by SANS, the business name of the Escal Institute of Advanced Technologies.
The problems organizations deal with
The survey says that 75% of security awareness professionals spend less than half their time raising any awareness about security.
The report also found that responsibility for a task that’s so communications-intensive is assigned to technical people who are not qualified to explain these concepts to people, in a way they can understand.
The top challenges cited by the security awareness professionals who took the survey (there were 1500 participants) was that there was not enough time or personnel, to make the program work. Some cited opposition from financial and operational executives.
What does awareness do?
Security awareness is a bit complex and covers training, communication, and testing, to prevent people from making mistakes that cripple entire networks. Numerous studies have shown that human errors, weak passwords, and mindless clicking on unknown links are the common reasons for incidents.
Lance Spitzner, the SANS Security Awareness Director and co-author of the report said that on average, an organization that does not do security awareness will have a 30% click rate on phishing emails. He asserted that a year into awareness programs, it drops to 2%.
The problem is that organizations do not see security awareness as essential in risk-avoidance and treat it more as an entry on a compliance checklist.