SANS annual security awareness report finds that more than half of enterprise initiatives are unfocused.

SANS annual security awareness report finds that more than half of enterprise initiatives are unfocused.

Home » Human Risk Still Going Unaddressed by Most Organizations

“You Had One Job!”

Organizations are failing to control the one thing they can control–employee behavior. Of course, there will never be 100% compliance, no matter what the threat or circumstance. But they’ll have more control over employee behavior than they will over hackers or the stability of the technology they’re using.

Awareness continues to be a part-time effort, which is why so many organizations are struggling to secure employee behaviors and ultimately manage human risk effectively,” says Lance Spitzner, SANS Security Awareness Director

The SANS annual security awareness report revealed that enterprise initiatives to minimize “human risk” are merely half-hearted. For example, 75% of the security awareness training professionals surveyed said they spend less than half their efforts on human risk. Falling for phishing scams and using unprotected systems are two risky behaviors that make employees an apparent threat to security.

Human Solutions for a Human Problem

Human Solutions for a Human Problem

The human risk factor remains primarily neglected, whether due to time constraints, a lack of personnel, or an inefficient delegation of duties. As a result, organizations have consistently put their money and energy towards technical expertise when building their security awareness programs instead of addressing human errors. 

“Roughly 10% of organizations out there–represented by our respondents–have someone dedicated full-time,” reports Spitzner.

Organizations that are making progress in changing employee behaviors with their program are dedicating as many as 3.5 full-time employees. However, most organizations are not dedicating full-time staff of any size. The SANS survey also showed that persons in IT or security would usually head up security awareness programs on top of their other responsibilities.

Keep It Simple Security!

SANS also polled respondents to find out their backgrounds before working in security awareness. Most came from Information security or Information technology background. And less than 20% had non-technical knowledge like marketing, communications, or human resources. Technical expertise is vital for any security awareness role, but overly technical trainers can make any security awareness programs challenging to digest. Organizations run the risk of alienating or confusing staff who lack that knowledge.

“Human risk is a people problem, so it takes a human solution to address it,” adds Sprintzer.

Grabbing the closest employee with the most extensive background in cybersecurity may be convenient, but it won’t address the human risk. The ideal security awareness trainer needs to have strong skills in helping and communication while partnering with others.

What’s In a Name?

What’s In a Name?

It even matters what you title this position. Usually, this role will be given a title that emphasizes “awareness,” “training,” and “engagement.” Instead, the title should focus on the ‘why’ of the program. For instance, “human risk officer” centers everyone’s attention on human behavior while aligning with strategic security priorities.

SANS also reports that some departments happen to be more receptive to security awareness initiatives, like Information Security and IT teams. And ironically, the most resistance seems to come from operations groups and finance teams. However, cautionary tales of other security breaches should encourage all departments to use safeguard practices.  

Cybersecurity is as much a threat to our borders as any land boundary. Everyone can stand to learn how to protect their information from a cyber attack better.

LEARN MORE
LEARN MORE

Share This Story, Choose Your Platform!

Let’s have a 15-minute video call

We are now taking on new clients.