- Seventy-nine percent of surveyed organisations reported a human-related data breach in the last 12 months, even though 100% reported undertaking security awareness training
- Seventy–nine percent of organisations reported having at least one breach, whether they undertook security awareness training twice a week, or once a month
- Ninety-four percent of respondents are now turning to Human Risk Management (HRM) tools to help mitigate these risks
London, UK. 9th October 2024: Leading Human Risk Management Platform, CultureAI, today unveiled new research that revealed companies are pouring an increasing number of resources into their security awareness and training (SA&T) programmes. 96% of respondents allocate between 5% to 20% of their security budgets to awareness training. While 78% train employees at least monthly. Yet, it was found that human-related breaches are still happening at an alarming rate.
Surveyed organisations said the leading motivation for delivering training is to change behaviours and equip employees to handle risks (51%), followed by compliance (25%) and breach prevention (24%). But regardless of the objective behind the training, 79% of surveyed organisations suffered a cyber breach due to human error in the last 12 months, with 34% experiencing multiple breaches.
The study was conducted by independent research company, Opinion Matters, and surveyed 200 UK-based cyber security teams at organisations with over 1000 employees. This forms the basis for CultureAI’s ‘Time to Adapt: The State of Human Risk Management in 2024’ report which examines how far training can go in improving behaviours and reducing risks, evaluating whether investments of time and money offer substantial returns or if resources could be more effectively allocated elsewhere.
Human risk demands attention, and training alone isn’t enough
Employees face an increasing range and volume of risks as they go about their daily tasks; with the widespread and increasing adoption of SaaS, GenAI, and collaboration tools creating more vulnerabilities for cyber criminals to exploit. As the threat landscape evolves, so must defences.
Despite significant investments in training, human-related breaches remain commonplace. 79% of organisations reported having at least one breach, whether they trained twice a week, or once a month. While training is required for compliance reasons, the findings suggest that spending extra time, resources, and customisation on training, will not necessarily deliver the results hoped for.
Organisations need to take a proactive stance, embracing innovative interventions and technologies that help accurately quantify and manage the risks caused by and affecting employees.
Security teams are driving down risk with human risk management
Companies are beginning to adopt HRM solutions at scale. With 94% of surveyed organisations using at least one HRM capability. Yet there is still room for growth, as only 22% of respondents were using three or more different capabilities.
There is a notable correlation between the number of HRM capabilities utilised and the incidence of human factor-related breaches over the past year. Specifically, 91% of organisations with only one capability experienced a breach, compared to 70% of those employing four.
When examining the respondents who reported no data breaches, the research found a preference for more technical HRM capabilities. The most popular choices were human risk triage (45%), coaching based on risk levels (37%), nudges triggered by risks (37%), and automated interventions (32%).
Shifting investment from SA&T to HRM
63% of respondents currently spend 5% to 10% of their security budget on training with another 33% reporting that they spend 11% to 20%. This is more than anticipated, as in 2023 Gartner reported 60% of teams spend 5% or less on awareness activities, including people, processes and technology1.
However, among those spending 11 to 20% on training, 80% experienced a security breach in the past year. This suggests that allocating up to 20% of the budget to training alone might be a missed opportunity. While training has a place, it has limits. Instead of investing in single-focus platforms, it could be better to invest in a more comprehensive HRM platform. Leveraging data from a range of technology and security tools, to provide real-time visibility into potential risks and automate risk response.
John Scott, Lead Security Researcher at CultureAI, comments on the survey findings: “Human error is inevitable, but it’s not a moral failing. We all make mistakes. Unfortunately, these mistakes can be catastrophic for organisations. It’s a challenge that every business must grapple with, and the research serves to demonstrate the prevalence of human-related breaches, even as companies invest more time and resources into security awareness and training programmes.”
“Training can go some way to address gaps in knowledge, but cyber criminals exploit gaps in attention and perception to achieve their goals. Effective use of technical interventions and nudges can help close those gaps. But human risk management isn’t just a shift in technology, it’s a complete change of mindset, and one that is desperately needed. Enabling companies to adapt to the new normal.”
To read the full research report, please click here.
About CultureAI
The innovative CultureAI Human Risk Management Platform empowers security teams to instantly identify workforce security risks, coach employees in the moment, and automate fixes. They recognise employees make mistakes, bypass security protocols, and are targeted by social engineering attacks – all of which can result in devastating data breaches.
Whether organisations want to enhance resilience against phishing, improve SaaS security, reduce data loss through generative AI, or ensure compliance with personalised security coaching. CultureAI’s comprehensive platform encompasses multiple solutions which enables businesses to effectively quantify and manage the risks caused by and affecting humans.
Trusted by leading organisations globally, CultureAI is a UK-based company with offices in Manchester and London. Learn more at http://www.culture.ai or on LinkedIn.
About Opinion Matters
Opinion Matters is an award-winning insight agency. Their consultants create bespoke market research solutions for businesses, organisations, and agencies worldwide. They are experts in creating concepts, implementing and managing projects, analysing results and reporting. The agency operates internationally, offering highly targeted niche panels that are more pertinent to specialist audiences and media requirements. Opinion Matters abides by and employs members of the Market Research Society and follows the MRS code of conduct and ESOMAR principles. Opinion Matters is also a member of the British Polling Council.
PR Contact
Destiny Gillbee, PR Director
C8 Consulting Ltd