Security awareness training not alleviating breach risk, survey finds
Human Risk Management (HRM) platform, CultureAI, has unveiled new research which shows that despite companies pouring increasing resources into their security awareness and training (SA&T) programmes, human-related breaches are still happening at an alarming rate.
According to the survey, 96% of respondents allocate between 5% to 20% of their security budgets to awareness training while 78% train employees at least monthly.
Surveyed organisations said the leading motivation for delivering training is to change behaviours and equip employees to handle risks (51%), followed by compliance (25%) and breach prevention (24%). But regardless of the objective behind the training, 79% of surveyed organisations suffered a cyber breach due to human error in the last 12 months, with 34% experiencing multiple breaches.
Employees face an increasing range and volume of risks as they go about their daily tasks; with the widespread and increasing adoption of SaaS, GenAI, and collaboration tools creating more vulnerabilities for cyber criminals to exploit
There is a notable correlation between the number of HRM capabilities utilised and the incidence of human factor-related breaches over the past year. Specifically, 91% of organisations with only one capability experienced a breach, compared to 70% of those employing four.
When examining the respondents who reported no data breaches, the research found a preference for more technical HRM capabilities. The most popular choices were human risk triage (45%), coaching based on risk levels (37%), nudges triggered by risks (37%), and automated interventions (32%).
63% of respondents currently spend 5% to 10% of their security budget on training with another 33% reporting that they spend 11% to 20%. This is more than anticipated, as in 2023 Gartner reported 60% of teams spend 5% or less on awareness activities, including people, processes and technology.
Says John Scott, Lead Security Researcher at CultureAI:
“Human error is inevitable, but it’s not a moral failing. We all make mistakes. Unfortunately, these mistakes can be catastrophic for organisations. It’s a challenge that every business must grapple with, and the research serves to demonstrate the prevalence of human-related breaches, even as companies invest more time and resources into security awareness and training programmes.”
To read the full research report, please click here.
