Despite the rising proliferation of the ransomware-as-a-service industry and sophisticated attack methods being adopted by nation state actors, human error remains the biggest threat to an organization’s cybersecurity. That means security awareness has never been more important, according to the SANS Institute’s 2022 Security Awareness Report.
The Maryland-based cybersecurity training organization’s report found that phishing, ransomware and business email compromise—three threats all associated with some level of social engineering and human error—are the top three security risks cited by cybersecurity professionals.
“People have become the primary attack vector for cyber-attackers around the world,” said Lance Spitzner, SANS security awareness director and co-author of the report, in a statement. “Humans rather than technology represent the greatest risk to organizations and the professionals who oversee security awareness programs are the key to effectively managing that risk.”
The report, the result of analyzing data of more than 1,000 global security awareness professionals, points the blame at those very professionals, as more than 69% of them are spending less than half of their time on security awareness. In addition, just 18% are dedicated to supporting awareness programs full time. The SANS Institute defines a full-time security awareness professional as someone that spends at least 70% of their time on security awareness.
Instead, those security awareness responsibilities are being assigned to technical staff who may already be part of the IT team who lack the necessary soft skills to effectively communicate the importance of cybersecurity in laymen terms.
Another issue impacting security awareness is the disparity in compensation between full-time security awareness professionals and IT staff who are taking on additional awareness responsibilities. According to the study, the average U.S. salary for a full-time security awareness employee was $86,626, while those who are tasked with awareness responsibilities in addition to their technical job averaged $117,584.
According to SANS Institute, the problem here is perceived value.
“Too often, security awareness professionals are perceived as being in the ‘entertainment business’ because they talk exclusively about engaging and training the workforce,” the organization says in the report. “But this overlooks the fact that security awareness professionals are not just in the business of changing human behavior; ultimately they are key to managing human risk.”
What the SANS Institute says technical and non-technical staff should do
For technical professionals tasked with their organization’s security awareness program, the SANS Institute suggests partnering with others in the organization to help craft and distribute their message.
Cybersecurity can be complex and confusing to non-IT staff, so awareness professionals should ask communication professionals in their marketing or public relations department to help or acquire the appropriate skills themselves to engage with the workforce more effectively.
To address the disparity in compensation, SANS Institute suggests demonstrating how awareness and training can change key behaviors that lead to human error, such as clicking links or opening attachments from suspicious emails.
In addition, security awareness pros should work with the IT and security teams to expand their role to help manage rollouts of security tools and policies, as well as partner with senior leadership to help spread buy in.
While security awareness professionals should have better soft skills than IT professionals, they still need a working knowledge of cybersecurity fundamentals, according to the report.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply