In the ever-evolving landscape of cybersecurity, one significant shift is the increasing involvement of Human Resources (HR) departments in the realm of cybersecurity training. A decade ago, HR was blissfully divorced from cybersecurity responsibilities, but today, it plays a pivotal role in shaping a resilient defense against cyber threats.
Security awareness training, once in obscurity, has emerged as a substantial industry. According to Cybersecurity Ventures, the market for security awareness training is valued at $5.6 billion in 2023 and is anticipated to nearly double to over $10 billion by 2027. The driving force behind this surge is the relentless onslaught of phishing campaigns by cybercriminals.
The annual Verizon Data Breach Investigations Report (DBIR) revealed that a staggering 74 percent of data breaches involve a human element, with phishing being a predominant attack vector. Of these social engineering attacks, 50 percent involve pretexting, emphasizing the importance of understanding the human factor in cybersecurity.
The Human Firewall Concept
To combat the human vulnerability exploited by cybercriminals, companies are now investing in the creation of a “human firewall.” This entails educating employees to recognize and thwart phishing scams. HR has become the linchpin in this endeavor, conducting training during onboarding and implementing regular, often quarterly, training modules to maintain vigilance against phishing threats. The training covers various aspects of cyber-hygiene, including password policies and breaking bad password habits.
“The idea behind awareness training is, ‘Change everyone’s reflexes,'” notes Jamal Bihya, an analyst at GigaOM in San Francisco. The goal is to instill a reflexive caution in employees, making them less susceptible to phishing attempts.
The Evolution of Security Awareness Training
Security awareness training has undergone a transformation, incorporating adult learning principles and utilizing multimedia elements. Rather than relying solely on text, training modules now feature audio and visual elements, showcasing scenarios of both good and bad cybersecurity behavior.
Erich Kron, a security awareness advocate at KnowBe4, stresses the importance of behavioral change in training programs. He recommends a shift from traditional annual training sessions to shorter, more frequent sessions with a targeted approach. Automation of training assignments and positive messaging can enhance program effectiveness.
Innovations in Training Approaches
Recent advancements include the use of AI to tailor training content based on individual weaknesses and the introduction of point-of-failure training for real-time guidance. This approach helps employees understand the implications of their actions and reinforces the purpose of security controls.
Kron envisions security awareness blending into broader safety programs, akin to traditional safety campaigns, addressing digital dangers with visible campaigns and signage. This holistic approach aims to create a culture of cybersecurity awareness comparable to the longstanding emphasis on physical safety.
As the threat landscape continues to evolve, HR’s role in cybersecurity training becomes increasingly crucial. The collaboration between HR and cybersecurity teams signifies a proactive approach in safeguarding businesses against the ever-present danger of cyber threats.
