Cybersecurity awareness programmes are beginning to gain ground among businesses, however, many of the professionals responsible for their implementation are challenged by a lack of time, budget and resources, according to a recent report.
SANS Security Awareness’ 2018 Security Awareness Report “Building Successful Security Awareness Programs,” also highlighted a clear correlation between the level of support given to security awareness by the organisation’s leadership and the maturity of that programme within the organisation.
“In light of recent large breaches such as those suffered by Equifax, Yahoo!, and the WannaCry ransomware attack on the NHS, and with new regulations like the EU General Data Protection Regulation throwing data protection into sharp focus, there’s a new sense of urgency around cyber security that’s stimulating both support and change,” said Lance Spitzner, Director, SANS Security Awareness.
“Security awareness can be challenging, but it’s necessary, and it’s worth the effort,” he added.
Working with researchers from The Kogod Cybersecurity Governance Center (KCGC) of Initiative at American University’s Kogod School of Business (KSB), the survey also found that the defence industry is the most mature, reporting over 10 percent at the highest stage in the Security Awareness Maturity Module, with the manufacturing industry the least mature being only at two percent.
It also noted that the Finance and Operations departments are the largest blockers to building or maturing a security awareness programme.
Furthermore, the majority of awareness professionals come from a technical background, with less than 20 percent coming from non-technical fields such as communications, marketing, legal or HR.
“The report reveals that a clear majority (80 percent) of security awareness professionals see their awareness programme activity as being only a portion of their overall job responsibilities,” says Dan DeBeaubien, Product Director for SANS Security Awareness. “Many claim to have no budget for an awareness programme or to not know what their budget is, and most lack the skills or background required to effectively communicate the programme to and engage with the workforce.”
For more detailed analysis and recommended action on improving security awareness, you can download the SANS 2018 Security Awareness Report here.