Training & Awareness

KEY FINDING: Lines of business and corporate counsel are most accountable for ensuring mandatory cybersecurity training is conducted by organizations.
Forty-seven percent of respondents say it is critical to have a comprehensive cybersecurity awareness training program that educates all technology users to recognize attack vectors and to reduce, prevent, and respond to cybersecurity incidents. However, less than half (48 percent) of respondents say their organizations require cybersecurity training for the workforce using technologies. As shown below, 42 percent say lines of business are most accountable, followed by corporate counsel/compliance (35 percent). Only 28 percent say it is information security or information technology that are most accountable.

Which functions are most accountable for ensuring mandatory cybersecurity training is conducted by your organization?

KEY FINDING: Mandatory cybersecurity training is inconsistent.
As shown below, many respondents say training is ad hoc (40 percent), only upon joining the organization (40%), or only when the organization has a security incident (32 percent).

When are employees required to take cybersecurity training?

KEY FINDING: With the increase in remote work, this is the top threat covered in cybersecurity training.
The data below presents the topics typically covered in a training program for technology users. Due to concerns about a remote workforce, 60 percent of respondents say their organizations provide training on this topic. As discussed previously, credential theft and phishing are considered serious threats, and these are among the top three threats covered in a training program.

Which of the following threats does your training program cover?