More than eight in 10 (83%) of 2,000 UK employees surveyed had not received cybersecurity training about deepfakes and AI; 60% had not been trained on how ensure cybersecurity when working from home; and 51% had not been trained on how to avoid phishing scams.
Employers might be delegating the responsibility to provide cybersecurity training to IT teams, explained David James, chief learning officer at learning platform 360Learning.
Speaking to HR magazine, he said: "It may be deemed that established compliance training requirements are burdensome enough. A decision could be made to centralise responsibility to the IT security team rather than hold employees accountable.
"This is risky. Any organisation needs to assess their risks, understand cybersecurity in their context as well as the wider context, and help their workforce mitigate risks associated with their roles."
Another reason for lack of cybersecurity training could be due to HR focusing on other priorities, suggested Martin Kraemer, KnowBe4's security awareness advocate.
“HR might have other priorities. Workplace safety and other mandatory compliance training must be completed,” he told HR magazine.
____________________________________________________________________________________________________________
Read more: Employee data breaches hit five-year high
____________________________________________________________________________________________________________
Analysis by law firm Nockolds, published in 15 May 2024, showed that breaches of employee data increased by 41% in 2023.
HR should prioritise cybersecurity training, Kraemer added, rather than relying on IT departments.
“HR must be involved. Cybersecurity training must be at least in the top three of their agenda. It is correct that training is the responsibility of HR. IT departments need to acknowledge that there are training experts who should help them, even if this is an information security issue and the temptation to run training out of the infosecurity department might be high.”
While 42% of employees had read and signed their cybersecurity policy, 15% of employees reported that their company did not have one.
Of those who had completed cybersecurity training (72%), 22% indicated that they don’t always follow cybersecurity advice as it is too complicated; 18% said that cybersecurity advice it gets in the way of their job, and 14% said that it was not their job to keep work systems secure.
____________________________________________________________________________________________________________
Read more: Armed forces payroll hacked
____________________________________________________________________________________________________________
Matt Eustace, data protection officer at AI insights company Aiimi, told HR magazine that cybersecurity training should offer employees practical ways they can protect themselves from attacks.
He said: “Training sessions should cover what security threats (like phishing emails and fraudulent phone calls) can look and sound like, and how to respond. Offer password management tooling, too, to ensure that users have complex, hard-to-guess and unique passwords for each service that they use.
“Employers should also brief teams on specific cybersecurity policies. Ensure that teams understand what information can and can’t be shared in different contexts, and what technology can and can’t be used safely at work.”
Integrating training into daily roles would make it more accessible for employees, James added.
"Be aware that employees are busy focusing on their day jobs and wary of tasks that take them away from what they’re supposed to do. Meeting teams where they are and embedding learning into their workflows can make learning more successful.
"There are other strategies you can use, such as integrating training into roles and responsibilities and ensuring managers are allocating work time to training. Incentivise teams with rewards, including certificates and recognition, to drive the sense of satisfaction and achievement they will feel when completing training."
KnowBe4 commissioned OnePoll to survey 2,000 UK employees in Q2 of 2024. The UK Cybersecurity Practices at Work Report was published on 25 July.
