The increase in hybrid or fully remote work environments as well as the COVID-19 information fatigued workforce have given rise to the need to effectively create and maintain a cyber-secure workforce and an engaged security culture, according to the latest SANS 2022 Security Awareness report.
“People have become the primary attack vector for cyber-attackers around the world,” said Lance Spitzner, SANS Security Awareness Director and co-author of the report.
“Humans rather than technology represent the greatest risk to organisations and the professionals who oversee security awareness programmes are the key to effectively managing that risk.”
According to SANS, the report establishes updated global benchmarks for how organisations manage their human risk and provides actionable steps to making improvements with key metrics in the Security Awareness Maturity Model Indicators Matrix to measure progress.
“Awareness programmes enable security teams to effectively manage their human risk by changing how people think about cybersecurity and help them exhibit secure behaviours, from the Board of Directors on down,” said Spitzner.
“This report enables security awareness professionals to make data-driven decisions on how to best secure their workforce and speak to leadership about risk in a compelling way that demonstrates value and support for their strategic priorities.”
The SANS report revealed that more than 69 percent of security awareness professionals are spending less than half their time on security awareness. The data shows that security awareness responsibilities are very commonly assigned to staff with highly technical backgrounds who may lack the skills needed to effectively engage their workforce in simple-to-understand terms.
The three top reported challenges for building a mature awareness programme were all related to a lack of time: specifically lack of time for project management, limits on training time to engage employees, and a lack of staffing.
SANS also highlighted how the pandemic impacted organisations. The top two reported impacts were the challenge of a more distracted and overwhelmed workforce and a working environment where human-based cyber-attacks have become more frequent and effective.
Consistent across all global regions is that current programmes’ most common maturity levels are compliance-focused and awareness/behaviour change.
Finally, SANS found that respondents believe that strong leadership support, increased team size, and a higher training frequency topped the charts as key enablers to programme success.
“The most mature security awareness programmes not only change their workforce’s behaviour and culture but also measure and demonstrate their value to leadership via a metrics framework,” said Spitzner.
“Organisations can no longer justify an annual training to check the compliance box, and it remains critical for organisations to dedicate enough personnel, resources, and tools to manage their human risk effectively.”
