At first it looks like good news that 85 percent of +1000 organizations do have some kind of cybersecurity programme in place. It’s a clear notion that management across industries acknowledge not only the increasing number of cyberthreats, but more importantly the need to build security. According to the Immersive Labs report, strengthening cyber capabilities "tops the list of strategic priorities for organizations in 2023, with increasing the cyber resilience of cybersecurity team members (83%) and the general workforce (75%) identified as the two highest overall focus areas.”
The problem is that most of these programmes don’t seem to be working. According to the report, almost all organizations encourage industry certifications, but only 32 percent say they are effective at mitigating cyber threats.
One of the key elements in creating a resilient security culture spells awareness. For us at Junglemap, providing distributed cybersecurity awareness training all year round, the survey results don’t come as a surprise: “Classroom training is offered too infrequently to be effective, with only 27 percent of respondents indicating they are receiving monthly training.”
Which of course is the reason that “almost half of respondents (46%) say their employees would not know what to do if they received a phishing email, despite years of security awareness training and phishing tests.”
To me, these numbers states the obvious: organizations need to re-think the scope of their cybersecurity awareness training. Ad hoc classroom trainings or traditional e-learning simply doesn’t create awareness.
But NanoLearning does.
Built on the three simple but important learning principles of repetition, reflection and reinforcement, our NanoLearning courses consist of 3-minute lessons distributed to all employees, every third week – all year round. This bite-sized format ensures that the training is taking place, the frequency allows the important spacing effect, and the content is designed to create reflection and retrieval practice.
Measurable effects
Not even a well-designed awareness training is a guarantee for not being affected by cyberattacks. What we guarantee is that the effects can be measured. And according to the Immersive Labs report, this is also something that many organizations struggle with:
“Almost half (46%) of senior security and senior risk leaders say they do not have the metrics they need to fully demonstrate their workforce’s resilience in the face of a cyberattack.”
An important part of creating cybersecurity awareness with Junglemap is that management on all levels are able to follow up on the training. This is why we include dynamic real time management reports in our plans. And we know that this is highly appreciated and well used in many organizations. Getting rid of the FOFO (Fear Of Finding Out) and actually dealing with challenges based on clear metrics is the best way going forward.
So how should we view the importance of certifications and compliance? As supply chain security becoming even more important in order to create security, we see many SME:s struggling with showing that they are doing their cybersecurity homework.
And of course it is important with transparent certificate that really show that your organization have your cybersecurity awareness in place, but when it comes to a thing like awareness – the certificates issued should confirm that you are in an ongoing process. Not that you did something in the past.
Gustav Berghog
Group CEO Junglemap