If you were to ask a number of IT pros whether or not they think security awareness training is effective at reducing human risk, you'd probably get a mixed response...
“Ours worked a treat, the team has really taken to the training”
“We tried it, but our users kept getting phished anyway”
“It’s early days yet but the signs are good!”
Problem is, these half-baked reviews don't really give your business a clear insight into how effective this type of training can be, what's working well and what the overall return on investment (ROI) is.
So, in this post, we'll guide you through:
The effectiveness and ROI for security awareness training can vary based on a number of factors — including format, channels and frequency.
But, if done right, employee training can be a highly successful solution for reducing human error, improving everyday security behaviour and achieving key standards of regulatory compliance.
In a recent study, 80% of organisations said that security awareness training had reduced their staffs’ susceptibility to phishing attacks. That reduction doesn't happen overnight, but it can happen fast — with regular training being shown to reduce risk from 60% to 10% within the first 12 months.
Even the least effective training programs have a seven-fold ROI, and the average performing program results in a 37-fold return on investment.
Ponemon Institute
The graph below gives a visual insight into one study that measured how staff were able to recognise threats before and after training:
As this shows, security awareness training makes staff much more capable of identifying potential cyber threats.
That being said, Osterman Research has produced one of the most renowned costs and ROI models developed for security awareness training.
Their study showed that, on average, smaller businesses (under 1,000 employees) can achieve an ROI of 69% from a security awareness training program, while larger companies (1,000+ employees) can achieve an ROI of 562%.
The caveat here is that the report has been based on a range of assumptions — which you can check out in more detail here — including costs of operations and the potential loss of customers and revenue, which obviously varies from business to business.
But don't get too lost in the data. The key point is — training does work.
To make your employees' training as effective as possible, there are a number of key ingredients that you need to include:
According to USENIX, employees will start to forget their training after four months, so delivering regular awareness sessions is key for making sure that the information is kept fresh in their minds.
As seen in the report above, many businesses are opting to train staff on a monthly basis to keep information fresh in the mind.
This may sound like a lot, but this type of training is often delivered through bite-sized and computer-based (CBT) courses to avoid learning fatigue and any hindrance to productivity.
Rather than broadcasting a checklist of points during a PowerPoint presentation, try to deliver more memorable video and interactive computer-based training courses.
Here's a quick example training video that is taken from usecure's security awareness platform, uLearn:
It's easy to think that training staff on how to spot a phishing attack is enough to reduce human risk, but narrowly focusing on a select few topics leaves the door wide open for human error and successful attacks.
Your employees' ongoing training should cover a wide variety of behavioural tips, attack techniques and compliance standards. Check out usecure's top 12 security awareness training topics.
So you've trained your staff on how to spot a phishing attack? That's great, but how will they react when a fraudulent email from finance actually drops into their inbox, asking them to pay an invoice 'asap'?
By running employee phishing simulations, you're able to detect which employees would fall victim to a real-world attack, giving your business a chance to proactively educate that person on what they missed.
It's important to measure the impact of training so that your business can a) report on whether your approach is working and b) have a birds-eye-view of any potential human risk areas.
Running a quick quiz at the end of each training session is a good way of understanding what each person has learned.
With uLearn, each employee is quizzed straight after their course, with their results being saved and added to their individual profile as well as contributing to the business' overall human risk score.
The bare essentials of any effective security awareness training program come down to training staff frequently, using engaging material, covering the essentials and measuring the ongoing impact.
But finding the time and budget to plan, deliver and manage this type of training can seem like a pretty big drain on resources for IT and the business as a whole.
That's why we've put together a complete guide to security awareness training to help you launch cost-effective and admin-lite security awareness training from day one.
Grab the free guide today: