The Enemy Within: Three Keys to Cybersecurity Awareness
Mar 30, 2020
“Our people are our greatest assets.”
While this timeworn business cliché may be true, it’s also true that your people are a major cybersecurity risk. Research shows that more than a third of employees in a typical business will succumb to a staged phishing or social engineering attack. And these aren’t laughable invitations to send bank information to collect an inheritance from a mysterious long-lost relative. Rather, the most nefarious – and effective – scams include innocuous and official-looking emails that appear to be from a supplier, or from the company’s HR department, requesting an account “update” or “verification.” Harried or distracted employees fail to notice that the logo isn’t quite right, and that the URL includes an odd character or two. They click the link and enter the requested information – thereby providing a hacker access to your enterprise.
From spear phishing to ransomware, cybercriminals are deploying increasingly sophisticated strategies and tools to attack your business. The objectives of cyberattacks have similarly evolved. Traditionally, hackers focused on identity theft. Potential damage – while significant – was limited to individuals. Today, cybercriminals aspire to hijack entire networks and gain access to financial assets or customer records that can be held ransom.
In this environment, the stakes are too high to assume employees won’t inadvertently click on the wrong link at the wrong time. As such, Security Awareness Training is emerging as an essential component of a comprehensive cybersecurity strategy.
Here are three keys to an effective cybersecurity training program to keep employees aware, engaged and vigilant.
One: Make it a Priority
Businesses have traditionally downplayed the importance of people as a point of vulnerability, relying instead on technology capabilities such as firewalls and anti-virus programs. As a result, awareness training tends to slide down the ladder of priorities. Yet, the fact is that more than a third of data breaches can be traced to human error or negligence. Indeed, as technology to combat cybercrimes advances, hackers view people as an increasingly attractive target. As such, security strategies and frameworks must focus on protecting the identity and data of individuals, and awareness training should be a key component of those protection strategies.
Budgeting should be quite simple. You can’t afford not to have security awareness in place. Budgeting too low increases risk, while budgeting high doesn’t guarantee success. An effective program has to be rolled out to every employee at every level. Work with a partner who can help you choose the right program, implement and measure it.
Two: Make it Timely and Relevant
Most security awareness training programs – if they exist at all – are often limited to periodically delivered basic instructional courses that outline potential threats and appropriate responses. The trouble is, security threats continually evolve, and the training curriculum developed three months ago may well be obsolete by the time it’s delivered next week. Moreover, cybersecurity risks don’t adhere to a regular schedule. New ones can emerge in clusters, and then lay dormant for months. As such, calendar-based training doesn’t align with the dynamic, non-linear nature of the cyber landscape.
Rather than a static, one-and-done initiative, effective security awareness training must be an ongoing process, with frequent updates and alerts reflecting new developments in the global environment generally, as well as industry- and company-specific considerations. A best practice in this regard is to frequently launch simulated phishing attacks to gauge employee responses to current risks. In addition to providing regular benchmarks on the state of risk awareness within an organization, this practice raises awareness of phishing scams and puts employees on alert when receiving problematic messages.
Three: Make it Engaging
Another drawback of security awareness programs – most are, to put it bluntly, boring. Employees often groan their way through dry, pedantic training videos so that they can complete the mandatory Q&A at the end and get back to work. Because they’re disengaged and paying attention only to the extent necessary to complete the requirement, the knowledge transferred in the session isn’t retained for long.
Studies show that compelling stories and narratives are essential to engaging audiences; audience engagement, meanwhile, is essential to information retention. Effective security awareness programs employ videos, gamification and newsletters. Make it fun and inclusive. Offer internal rewards to employees who identify and report a potential attack. Or, take a page from traditional retail loss prevention books and create a confidential employee hotline where employees can report suspicious behavior of other employees.
CISOs are working more closely than ever with other C-level executives to oversee technology, people and risk to ensure that security is embedded in every business decision as well as in the overall culture. And awareness training is central to those efforts. Done right, the efforts pay off, and companies undertaking regular programs achieve quantifiable results. The 30 percent of employees who fall for a phishing scam prior to training declines to 15 percent after 90 days of training, and to 2 percent after one year.
Click here to learn more about security awareness training.