Lack of employee training contributes to failed security awareness programs; SANS
The report highlighted four areas organisations need to focus on to improve the effectiveness of their awareness campaigns
A report has discovered that the lack of time dedicated to employee training and the lack of communication skills are key contributors to why cyber security awareness programs fail to meet their objectives.
SANS Institute released its ‘SANS 2017 Security Awareness' report and found that women are twice as likely as men to be dedicated to such programs.
According to the researchers, there are four areas in which organisations must focus on; human resource allocation, partnerships, hiring of dedicated professionals and fostering security ambassadors.
Ned Baltagi, managing director, Middle East & Africa at SANS, said: "There is no doubt that awareness programs play a vital role in strengthening IT security. While Middle East organisations are doubling down on their security investments, the challenges cannot be solved by technology alone.
"The behaviour of end-users, most commonly unintentionally malicious, are often the root-cause of data breaches, which is why SANS has worked to pinpoint the shortcomings of security awareness programs and provide enterprises with a clear outline for how they can overcome these."
The report further adds that surprisingly budget restraints were not cited, instead the biggest challenge is time as over 75% of security professionals spend just 25% of their time on awareness. Furthermore, 30.23% said that the lack of communication and employee engagement are other hurdles, as while 80% of security awareness professionals have technical backgrounds, only 8% possess soft skills backgrounds, such as communications, training and marketing.
"Organisations should strategically leverage their budgets to hire resources who will get their awareness programs off and running. They should also identify and empower awareness ambassadors- employees who are committed to security initiatives and push their colleagues to do the same- as a cost-effective means to raise the entire organisation's security posture," concluded Baltagi.