The study found that properly implemented awareness training programs move the needle of enterprise risk where technology alone cannot. As many as 87% of study participants stated that effective IT security is not possible without employee training. However, challenges remain, including gaining user acceptance and a lack of resources for increasing awareness efforts.
Cybersecurity Awareness as a ‘Firewall’
While 58% of the companies surveyed have security awareness policies in place, only 42% actively engage employees in efforts with tools such as a Phishing Incident Button. This is worth noting as this type of interaction builds a “human firewall” inside enterprises, empowering employees to report threats quickly and building a strong security culture.
Additionally, just 20% of survey participants reported conducting more than seven phishing simulations per year and only 67% invest up to 12 hours per year in awareness training. In fact, one-fifth of participants conduct only one training course per year and just under a quarter reported conducting two courses. Six percent of those surveyed said they do without training altogether.
The most common training topics focused on phishing awareness (28.1%), password safety (13.3%), social engineering (9.4%) and malware (7.0%).
Awareness Maturity Increases, but Room for Improvement
Researchers did find an increased maturity in cybersecurity awareness programs, with 58% of participants reporting having an awareness policy including mission statements, policies and metrics in place. A majority (65%) of those surveyed believe cybersecurity awareness programs still need to expand.
The 2022 Global Cybersecurity Awareness Training Study by ThriveDX Enterprise surveyed 1900+ CISOs, security leaders and IT professionals to better understand the benefits of cybersecurity awareness training, in particular phishing simulations, and how employee awareness is taking hold to make enterprises safer.
Read the full report by ThriveDX.
