Give employees the knowledge needed to spot the warning signs of a cyberattack and to understand when they may be putting sensitive data at risk.
There’s an old adage in cybersecurity that humans are the weakest link in the security chain. That’s increasingly true, as threat actors compete to exploit credulous or careless employees. But it’s also possible to turn that weak link into a formidable first line of defense. The key is rolling out an effective security awareness training program.
Research reveals that 82% of data breaches analyzed in 2021 involved a “human element.” It’s an inescapable fact of modern cyberthreats that employees represent a top target for attack. But give them the knowledge needed to spot the warning signs of an attack, and to understand when they may be putting sensitive data at risk, and there’s a huge opportunity to advance risk mitigation efforts.
What is security awareness training?
Awareness training is perhaps not the best moniker for what IT and security leaders want to achieve in their programs. In reality, the goal is to change behaviors through improved education about where the key cyber-risks lie and what simple best practices can be learned to mitigate them. It’s a formalized process that should ideally cover a range of topic areas and techniques to empower employees to make the right decisions. As such, it can be viewed as a foundational pillar for organizations wanting to create a security-by-design corporate culture.
Why is security awareness training necessary?
Like any kind of training program, the idea is to enhance the skills of the individual to make them a better employee. In this case, improving their security awareness will not only stand the individual in good stead as they navigate various roles, but it will reduce the risk of a potentially damaging security breach.
The truth is that corporate users sit at the beating heart of any organization. If they can be hacked, then so too can the organization. In a similar way, the access they have to sensitive data and IT systems raises the risk of accidents happening which could also negatively impact the company.
Several trends highlight the urgent need for security awareness training programs:
Passwords: Static credentials have been around for as long as computer systems. And despite the pleading of security experts over the years, they remain the most popular method of user authentication. The reason is simple: people know instinctively how to use them. The challenge is that they’re also a huge target for hackers. Manage to trick an employee into handing them over, or even guess them, and often there’s nothing else standing in the way of full network access.
Over half of American employees have written passwords down on pen and paper, according to one estimate. Poor password practices open the door to hackers. And as the number of credentials that employees need to remember grows, so does the likelihood of misuse.
Social engineering: Human beings are sociable creatures. That makes us susceptible to persuasion. We want to believe the stories we’re told and the person telling them. This is why social engineering works: the use by threat actors of persuasive techniques such as time pressure and impersonation to trick the victim into doing their bidding. The best example is a phishing email, text (aka smishing) or phone call (aka vishing), but it’s also used in business email compromise (BEC) attacks and other scams.
The cybercrime economy: Today these threat actors have a complex and sophisticated underground network of dark web sites via which to buy and sell data and services – everything from bulletproof hosting to ransomware-as-a-service. It’s said to be worth trillions. This “professionalization” of the cybercrime industry has naturally led threat actors to focus their efforts where return on investment is highest. In many cases, that means targeting users themselves: corporate employees and consumers.
Hybrid working: Home workers are thought to be more likely to click on phishing links and engage in risky behavior such as using work devices for personal use. As such, the emergence of a new era of hybrid working has opened the door for attackers to target corporate users when they’re at their most vulnerable. That’s not to mention the fact that home networks and computers may be less well protected than their office-based equivalents.
Why does training matter?
Ultimately, a serious security breach, whether resulting from third-party attack or an accidental data disclosure, could result in major financial and reputational damage. A recent study revealed that 20% of businesses that suffered such a breach nearly went bankrupt as a result. Separate research claims the average cost of a data breach globally is now higher than ever: over US$4.2m.
It’s not just a cost calculation for employers. Many regulations like HIPAA, PCI DSS and Sarbanes-Oxley (SOX) require complying organizations to run employee security awareness training programs.
How to make awareness programs work
We’ve explained the “why,” but what about the “how”? CISOs should start by consulting with HR teams, which normally lead corporate training programs. They may be able to provide ad hoc advice or more coordinated support.
Among the areas to cover could be:
- Social engineering and phishing/vishing/smishing
- Accidental disclosure via email
- Web protection (safe searching and use of public Wi-Fi)
- Password best practices and multi-factor authentication
- Safe remote and home working
- How to spot insider threats
Above all, bear in mind that lessons should be:
- Fun and gamified (think positive reinforcement rather than fear-based messages)
- Based around real-world simulation exercises
- Run continuously throughout the year in short lessons (10-15 minutes)
- Inclusive of every staff member including executives, part-timers and contractors
- Able to generate results which can be used to adjust programs to suit individual needs
- Tailored to suit different roles
Once all this is decided, it’s important to find the right training provider. The good news is there are plenty of options online at a range of price points, including free tools. Given today’s threat landscape, inaction is not an option.
by Phil Muncaster, ESET