The “chaos factor” created by remote work has made it even more difficult for organizations to get employees to focus on security awareness.

That’s according to KnowBe4, which released its 2021 State of Privacy and Security Awareness Report on Thursday. It’s based on a random sampling of 1,000 U.S. employees in both SMB and large enterprises.

The report sought to gauge how much cybersecurity training employees get, and the impact it has on security and privacy best practices. The commissioned study asked a variety of questions on general cybersecurity and data privacy knowledge. It addition, it asked about the impact the COVID-19 pandemic had on training.

Disappointing Highlights

Highlights from the security awareness report include:

Negative Attitude Toward Training

Perry Carpenter is chief evangelist and strategy officer at KnowBe4.

KnowBe4’s Perry Carpenter

“Honestly, we were not super surprised by the results,” he said. “In my former role as a Gartner analyst, I constantly heard security and compliance leaders lament the state of compliance training. And, frankly, the way that compliance training was positioned by vendor and organizations was that it is a necessary evil. Because there has traditionally been such a negative attitude toward this type of training, we should not be surprised when we see lackluster results. And, in general, this mediocrity has existed both on the vendor side, as well as the organizations implementing such training.”

The situation gets worse with remote work, Carpenter said.

“Employees have much less segmentation in their lives than ever before,” he said. “And organizations have a much harder struggle to capture the attention of their employees for any type of training or activity that may seem irrelevant, boring or not in tune with today’s reality.”

Compliance and Cybersecurity Awareness Are Different Concepts

Organizations should view compliance and cybersecurity awareness as separate concepts, Carpenter said.

“There is minimal overlap here, if any,” he said. “Some compliance mandates may require security awareness. But security awareness, itself, is not compliance. Security awareness is about helping people make more secure decisions. It is about driving secure behaviors. And it is about reinforcing all of that by weaving security values throughout the fabric of the organization. So, increasing cybersecurity awareness involves everything from traditional communications and training techniques, to very nuanced behavior-shaping processes and organizational culture management strategies.”

The awareness is there, but organizations do not necessarily see themselves as potentially becoming a victim, Carpenter said.

“They must realize that they could just as easily be on the other side of the coin,” he said. “Unfortunately, awareness does not always lead to proactive countermeasures to fight these sorts of issues. Hard questions must be asked of executives. Also, having a disaster preparedness plan is critical.”

Stu Sjouwerman, KnowBe4‘s CEO, calls the findings “alarming.”

“[The results] highlight the critical need to implement new-school security awareness training for every U.S. employee throughout every organization in this nation,” he said. “Going a step further to build a security-minded culture becomes essential as cybercriminals pose greater threats to business operations.”