Ready to Start Your Career?

Is Security Awareness Training a Worthy Investment?

ryan c's profile image

By: ryan c

June 2, 2015

Over the past few years, the news has been full of stories detailing how large corporations put the security information of tens of thousands of their clients at risk. More times than not, these risks came as the result of low-level employees doing things to compromise the cyber security of large multi-million-dollar corporations. In an effort to combat security breaches, more and more companies are paying to provide their employees security awareness training. However, there is some debate as to whether security awareness training is really worth the cost.Security Awareness Training: A Taboo SubjectIn the world of security professionals, there are three topics that are to be avoided at all costs. These topics are religion, politics, and security awareness training. The reluctance to discuss security awareness training does not stem from the fact that the training does not work. In fact, according to statistics released in 2014 in a US cyber crime survey by PricewaterhouseCoopers, more than 40 percent of individuals who participated in the survey said that they believed security education and awareness training played a role in preventing potential cyber attacks.On the financial side, the numbers are staggering. A recent report showed that companies that had their new employees go through security awareness training saved on average $500,000 annually in security related financial losses as opposed to companies that did not have their employees engage in this training.Security Awareness Training Is Not a Miracle CureSecurity professionals understand the benefit of security awareness training. However, they emphasize the fact that these benefits will only come if the awareness training is part of a comprehensive security plan. End-users need to understand the vital role they play in protecting their business's data. Training employees on cyber security and ensuring that cyber security techniques are enforced within an organizational infrastructure ranked among the top five things that businesses could do to protect their data.However, many high-profile security experts doubt the overall effectiveness of this training. Some even view it as a waste of time. Why? Because at the end of the day, the end user is not a security expert. They do not have the training or the know-how to keep ahead of potential security threats, and it is not reasonable to expect them to do so. For some security experts, increased focus on awareness training detracts from larger issues such as software failures, poorly designed security software, and failure of technical controls.How Much Training Is Enough?Most large corporations understand that some form of awareness training is needed. In many industries it is required that employees receive some form of security awareness training. The question that must be answered though is, how much training is sufficient to provide the necessary protection? This question becomes more relevant in light of multiple data breaches that have occurred in recent months.A CEO of a security software company said, “It is weird that we are saying ‘don’t click’ to users.” In other words, his argument is that users should be allowed to do whatever they need to do in order to complete the task without restrictions being placed on them out of concerns for a company's security. He feels that it is the IT’s department to create technical controls designed to protect a business and its employees from cyber crime.On the other side of the coin, there are security experts who argue that employees are not stupid. They are intelligent enough to accept a share of the responsibility for keeping their company’s data secure. At the end of the day, employees should be working in harmony with their employer to protect and to represent the company’s strategic goals. This means that when they do work at home, when they navigate social media, and when they do anything else related to work, they should do it in a way that protects their employer’s interest.Everyone agrees that protecting a company’s sensitive intellectual property and customer data is a collaborative thing. Users need to be trained on potential threats that could put their employer’s data at risk. At the same time, businesses must take proactive steps to create firewalls and other defenses that protect their systems.______________ Get information on integrating Cybrary's Security Awareness Training course into your organization.
Schedule Demo