Among the many IT practices and procedures that may have fallen by the wayside in the chaotic transition to remote work in 2020, neglecting security awareness training has proved to be one of the biggest big problems. In this dangerous threat landscape, remote workers present a variety of complex challenges to IT teams when it comes to security, and untrained workers are a risk that endangers every defensive measure that they put in place. Companies that are looking at long-term or even permanent remote work support must make smart investments in security awareness training to mitigate the risk of trouble from unprepared remote workers.

Companies weren’t doing enough security awareness training as they needed to before the pandemic and that’s only gotten worse. In 2020, a survey of IT professionals showed that while over 95% of them said that their companies had security awareness training programs, only 30% of them said that employees had actually completed any training. That number has barely budged, even with the magnitude of cybersecurity risk becoming more apparent to business leaders in the wake of major incidents like Colonial Pipeline.  In their 2021 Data Security Report, GetApp reported that 31% of the companies they analyzed do not undertake security awareness training for employees even once per year.

Even when companies do run regular security awareness training, they’re not focusing on cyberattacks and cybercrime threats. Entrust’s “Securing the New Hybrid Workplace” report takes a deep dive into how businesses approach security awareness training and it’s not promising when considering risks like phishing and ransomware. Only 52% of the employees and business leaders. Surveyed said that their organizations do anti-phishing training. Those percentages drop sharply when looking at specific threats. Only 31% of employees and 36% of business leaders said that their organizations offer ransomware-focused security training, and only 26% of surveyed companies provided social engineering training for employees. Considering the risk, it’s stunning that 55% of companies don’t provide even basic email security training.

By comparison, the companies that are running security awareness training programs are focusing on other security topics like information handling and general security education. Common non-cybercrime-related training topics include modules that encourage compliance with industry regulations and company policies around security. These modules included best practices for securing company information (74% of both employees and leaders), digital security compliance (63% of employees, 70% of leaders), and overviews of the security tools used by the organization (51% of employees, 59% of leaders). While that type of security awareness training content is important and can teach employees some basic cybersecurity skills and best practices, it’s not enough to empower employees to act as a last line of defense against cyberattacks.

Those shortfalls are especially dangerous for companies that are supporting a remote or hybrid workforce. The most common way for a company to have a security incident is through the actions of an employee, whether they mean to act maliciously or not. Over 40% of workers in a remote workforce security survey reported that they had made mistakes resulting in cybersecurity repercussions for themselves or their company while working remotely.  More than 55% of workers admitted that they were frequently off-balance when working from home, leading to security blunders that could unleash expensive nightmares for their employers.

Source: ID Agent