I never thought I’d quote Lady Gaga, but when it comes to things being said about security and privacy awareness, she pretty much nailed it with this line: “I’m telling you a lie in a vicious effort that you will repeat my lie over and over until it becomes true.”
We’ve been in the security and privacy awareness business for a while now, and we’ve heard our fair share of misconceptions and outright lies. We don’t necessarily believe these lies are told with malicious intent, mind you. Rather, we see them as lies organizations tell themselves over and over to justify a lack of investment in awareness training.
Either way, we’re here to help you sort out fact from fiction. Here are five lies about training that we straighten out every day:
1. Training isn’t necessary—our technology provides all the information security we need.
That’s music to the ears of cyber criminals who have learned that they can circumvent every one of those technology-based defenses by zooming right in on much softer targets: your untrained people. A recent spear-phishing survey found that 84% of respondents experienced spear phishing attacks that penetrated their technical security solutions, such as anti-malware software. Technology is just one piece of the puzzle.
2. Training is an expense we can do without.
Is security awareness training an optional expense? Sure, it is! But only if you don’t care about the many consequential expenses that arise when you treat it as an option, like steep noncompliance penalties or the cost to replace all the customers that fled because you failed to keep their data safe. Case in point: a 2015 Vormetric Security report found that 84% of Americans surveyed would change their shopping habits if their favorite store was hit by a data breach. Suddenly a proper security awareness program sounds like a real bargain.
3. Training is not effective at changing behavior.
That may be true of awareness courses that are designed only to check the compliance box. Those have always been worthless. But it is certainly not true of competently produced training built upon the principles of adult learning—and designed specifically to produce real and measurable behavior change. All security awareness programs are not created equal.
4. Only big companies need awareness training.
Tell that to the growing number of small and medium-sized businesses whose security has just been hacked. According to a Symantec report, 50% of attacks were perpetrated on companies with fewer than 2,500 employees, with 18% of attacks focused on organizations with headcounts of less than 250. Cyber criminals know that smaller companies are a whole lot less defended than the big ones. If yours is a small or medium-sized business, it could be that your organization is already in their sights.
5. The basic annual compliance training is really all you need.
Right. And cyber criminals update their tactics only once a year. Not! Again, if all you care about is checking a compliance box, then run with that. But if your objective is to preserve shareholder value and maintain customer trust, then you’ll need to continually reinforce the security awareness mantra and stay on top of new and emerging business threats. And that’s the truth of the matter.
To paraphrase a famous writer, a lie can make it all the way around the world while the truth is still putting on its shoes. When it comes to awareness training programs, make sure you know the truth.
Want to see how MediaPRO’s Adaptive Awareness Framework can help you meet your awareness training goals? Request a demo below or contact us for more information.