Research uncovers a distinct gap in workplace cybersecurity prioritisation
A recent survey of 1000 office workers conducted by CybSafe has laid bare the stark reality of cybersecurity's position on the workplace priority ladder. The findings indicate a disconnect between the perceived importance of cybersecurity training and the prioritisation of daily work tasks.
Everyday Tasks Trump Cybersecurity
The research found a substantial number of employees undervalue cybersecurity training. An astonishing 66 per cent of respondents flagged completing daily tasks as more crucial than cybersecurity. Tasks being prioritised above cybersecurity training include:
- Monthly targets (41%)
- Manager-assigned tasks (52%)
- Catching up on emails (31%)
As cybersecurity threats increase, with ICO data showing a significant 157 per cent increase in cyber incidents from Q2 2022 to Q2 2023, these figures raise questions about the importance being placed on cybersecurity and the potential vulnerabilities arising from its sidelining.
Preference for Convenience Over Financial Incentives
The survey revealed a notable trend in employee engagement with cybersecurity training. Contrary to expectations, financial rewards were not considered to be the biggest motivator. Instead, practical adjustments to the training approach gained more interest. A significant 64 per cent of those surveyed advocated for allocated time within their work schedules to undertake cybersecurity training. Additionally, 43 per cent expressed a desire for training to be more engaging and interactive, reflecting a need for dynamic and compelling experiences. This points to a workforce that values the integration of training into their routine over extrinsic rewards.
The growing desire for "bite-sized training at the point of need," such as nudges and alerts, also further underscores the workforce's inclination towards convenience and relevance over monetary rewards. The statistics suggest people don’t need to benefit individually to be engaged - they care about collective responsibility and want to be part of the solution but must be given the content and time to be effective.
In the digital age, our approach to consuming information has fundamentally shifted, a change that extends into how we engage with cybersecurity training. The concept of 'information snacking'—briefly skimming content without fully grasping it—is prevalent in today's fast-paced, distraction-rich online environment. This 'webbed attention,' the constant pull of diversions on the internet, challenges our ability to concentrate on detailed information for long periods. These trends have significant implications for cybersecurity awareness, where understanding and vigilance are critical.
"Information habits have evolved; we're seeing a pattern where the luxury of undivided attention is rare," notes Dr Jason Nurse, Director of Science and Research at CybSafe. "Consequently, cybersecurity training needs to adapt to this new reality. It must become more succinct, direct, and engaging to cut through the noise and resonate with employees who are accustomed to this 'information snacking' culture. This perspective underscores the necessity for a reimagined approach to cybersecurity education—one that aligns with our transformed patterns of attention and one that meets us where we need it.”
Timing and Method of Training
Employees showed a clear preference for how and when they receive cybersecurity training. Video content and interactive sessions topped the list, hinting at a workforce that is visually oriented and yearning for a hands-on approach to learning about cybersecurity.
The frequency of training also emerged as a significant factor. The once-a-year training model, still commonplace in many organisations, was closely followed by the 29 per cent who reported receiving training quarterly and the 13 per cent who had training semi-quarterly, suggesting a need for more consistent engagement strategies. 11 per cent of respondents have training as frequently as monthly, further suggesting a move to a more regular, ‘snackable’ approach.
In light of these insights, organisations are urged to reassess their cybersecurity training approaches, integrating them more closely with employees' daily workflows and adopting methods that promote consistent engagement.
Dr Jason Nurse, Director of Science and Research at CybSafe, said: “It is becoming increasingly apparent that the importance of cybersecurity for many businesses is either underappreciated or is not being communicated effectively to the average worker. The statistics are quite clear - Cyber training is simply viewed as another item on the to-do list that often gets kicked down the road. If leaders want their people to take online security seriously, it must come from the top.
“For quite some time, we have agreed that the ‘one and done’ approach to cyber security awareness isn’t effective in driving cultural change. The truth is that it is often seen as a chore for people with already busy schedules. People instead want designated time to complete their training and content that is short and engaging. With cyber threats becoming ever more sophisticated, the onus is on employers to craft training programs that are not only informative but also intrinsically compelling to the modern worker."