Security Awareness Training is one of the most cost-efficient ways to reduce the risk of breaches and incidents. Phishing awareness and education are some of the best ways to decrease risk. Conceringly, 56% of Americans don’t know what steps to take in the event of a data breach. According to Verizon’s 2019 Data Breach Investigations Report, 32% of breaches involved phishing. Your IT team works around the clock to implement and maintain cybersecurity defenses, while the rest of your employees click on suspicious links and reply to phishing emails, putting your entire business at risk. This creates a vicious cycle. The IT team or your managed service provider is constantly patching, fixing, and responding to threats caused by untrained and unsuspecting users. The majority of cyber attacks begin with end-users. When an attacker compromises one device, like an employee’s laptop or tablet, they gain a valuable foothold into the entire network that can be exploited to launch further attacks on your organization.
Comprehensive security awareness training is one of the best ways to help protect your business from malicious actors and prevent possible breaches. Your employees are often the first line of defense against a cyber attack. Well-trained employees know the best tactics to prevent, respond to, and recover from an attack. Some of the most deadly and common security attacks are social engineering attacks, spear phishing, and ransomware attacks that target employees by email. Management of these IT Security threats is imperative for businesses in the 21st century. Here are 5 reasons why your company should implement comprehensive security awareness training right now.
1. Attacks are on the rise as more employees are working from home – and will be for the near future
25-30% of the workforce will be working-from-home multiple days a week by the end of 2021, estimates Kate Lister, President of Global Workplace Analytics. Over the past few months, many companies have had to quickly transition from a traditional in-person office to an almost entirely remote workforce. Many companies were unprepared for this dramatic change as only 3.6% of the U.S. employee workforce worked remotely half-time or more before the pandemic. Hackers are opportunistic and are now using this shift in remote work to prey on unsuspecting and unsecured devices.
From January to February, researchers from Barracuda Networks reported a 667% spike in COVID-19 related email attacks. An April report from the Cyber Infrastructure Security Agency (CISA) noted that a surge in remote work has increased the use of potentially vulnerable services like virtual private networks (VPNs), unpatched Windows Machines, and lack of privacy at home, amplifying the threat to individuals and organizations. Attackers are exploiting publicly known vulnerabilities to prey on unsuspecting employees. We predict that as Americans continue to work from home and deal with external issues, hackers will continue to exploit these vulnerabilities and compromise business networks.
2. 95% of cybersecurity breaches are caused by human error, according to IBM Cyber Security Intelligence Index
The best firewall can’t prevent an employee from falling for a phishing email. Your company could spend millions on state-of-the-art security software using automation, machine learning, and advanced threat intelligence. But none of this will matter if your employees are not properly trained on how to spot and respond to common attacks. It is much easier for hackers to spend 5 minutes creating a convincing spear-phishing email that appears to be from your boss than to spend months researching zero-day vulnerabilities. Like most criminals, hackers are looking for the biggest score that requires the least amount of effort. Unfortunately, 78% of employees are aware of the risks of suspicious links in emails but click on them anyway. Even worse, only 16-20% of people admitted to clicking on the suspicious link in the study.
Employees should also be aware of the importance of physical security. Employees should make it a habit to shut down computers when not in use, avoid writing passwords on sticky notes, and ensure no one is “piggybacking” behind them when using a key card to enter a building. All of these are vital aspects of security that can be overlooked but can cause major damage. These are basic rules that all employees can and should follow to help keep your sensitive information and company communications safe. Securing your “human firewall” is just as vital as securing your organization’s digital firewall.
3. Compliance requirements for businesses are increasingly focused on employee training
HIPAA, PCI-DSS, and NIST 800-53 all have compliance requirements that focus on employee training. This is because they realize the importance of securing every point of contact in an organization, not just the IT department or C-suite executives. These agencies emphasize the necessity of not only developing security policies but also ensuring that all users are fully trained in those policies and understand the responsibilities they hold. Even if your organization does not currently fall under any compliance requirements, you may in the future, or you may want to expand and have an opportunity to bid on certain government contracts. These all require a certain level of information security and require employees to complete training on necessary cybersecurity awareness topics.
All members of your organization should understand the vital role they play in maintaining compliance with data protection and privacy laws. Regulations like GDPR and CCPA carry strict requirements for data protection and levy heavy fines against those who fail to comply with regulations. As far as the regulatory bodies and auditors are concerned, you are responsible for the actions of all of your employees. “I didn’t know” or “they never told me” is never an excuse when it comes to compliance requirements. 9 out of 10 U.S. businesses fall victim to cybersecurity incidents each year, according to an HSB Survey. Your organization needs to be prepared.
4. Providing basic training once is not enough to educate employees
For many organizations, security training is a once a year novelty item, not incorporated into the organization’s culture or wider policies and training. According to a study from Mimecast, only 45% of organizations provide formal security awareness training that is mandatory for all employees. Shockingly, merely 10% of organizations have training programs available, and they are only optional. Occasional and optional training does nothing to create a holistic culture of cybersecurity in your organization. Treating cybersecurity training as an afterthought means employees will do the same. Creating ongoing training that is engaging, interactive, and covers multiple topics like phishing, ransomware, business email compromise and physical security is the best way to equip employees with the knowledge to effectively respond to cyber threats. Hackers constantly evolve their approaches and techniques to exploit the latest vulnerabilities, so your organization must constantly improve and innovate your training to stay ahead of attackers.
Studies show security-related risks are reduced by 70% when businesses invest in cybersecurity awareness training. Humans and technology need to work together to detect and respond to cyber threats. Management of the urgent IT security problems like social engineering, business email compromise, spear-phishing, and ransomware attacks is an absolute must if companies expect to stay safe.
5. Anyone can become the victim of a phishing attack, even your CEO
We know members of your C-suite are busy, especially right now. However, it is important to remember that no member of your organization is immune from a cyberattack if they are not trained to spot it. You may remember recent headlines about “Shark Tank” host Barbara Corcoran who fell for a $400,000 phishing scam. The hackers sent an email and tricked her bookkeeper into sending a bill that appeared to come from Barbara’s assistant. She thought she was paying a contractor, but in reality, she wired almost $400,000 into a fake bank account in Asia. “I was upset at first,” she said, “but then remembered it was only money.” Fortunately, she was able to get her money back eventually. Unfortunately, most businesses are not in a position to float almost $400,000 – or lucky enough to have a team of lawyers get it back. For most businesses, a loss like this would close the doors immediately.
This is why comprehensive cybersecurity training is important for all members of an organization, not just the IT Department or your accountants, but also your CEO, President, VPs, and any other executive with access to your organization’s information. The Ponemon Institute estimates the total cost of the average cybersecurity breach is $4M. Your executive team may scoff at the idea of completing security awareness training with the rest of the team, or simply say they don’t have time. When the stakes are this high and the game this easy for hackers, it is necessary to ensure your entire organization is on the same page. There is always room for improvement and senses can dull over time, so your most seasoned security expert should join in the training as well.
So you know your business needs security awareness training, where do you go from here? Many IT pros and CEOs don’t exactly know where to start when it comes to creating a security awareness program that will work for their organization.
Security awareness training is an ongoing education process that helps educate employees about cybersecurity, IT best practices, and regulatory compliance requirements they may fall under. A comprehensive security awareness program for employees should train them on a variety of IT, security, and other business-related topics to help prepare them to avoid cyber attacks and understand what to do in the event of an attack. Here are some ways you can start to build a cybersecurity awareness training program at your organization.
Employees should understand the mechanisms of spam, phishing, spear-phishing, malware, and social engineering; and should be able to apply this knowledge in their day-to-day jobs, no matter what position they are in. You can choose to use either in-person classroom training, online training, interactive phishing campaigns, or a combination of all three. 45% of employees receive no security training at all from their employer, according to a survey conducted by CompTIA. Any training you can provide will put your employees in a better position to prevent and respond to attacks.
Even a modest investment in security awareness and training has a 72% chance of significantly reducing the business impact of a cyber attack. However, studies show that the use of multiple methods of training produced the highest correlation to perceived security effectiveness in employees. Employees who are exposed to only one type of user security awareness training methodology, like in-person lectures, for example, were less likely to view their organizations as effectively securing their data. Employees whose organizations covered only one topic in their training, such as only teaching employees how to avoid phishing, were the least likely to strongly agree that their organizations effectively secure their data.
Research has shown that people recall more of what they hear and see together, versus what they only see or only hear. Simply forcing employees to read security policies and procedures from a bootleg is not an adequate technique training for any organization, let alone a business that has to secure hundreds of employees and endpoints. We encourage organizations to use multiple methods for training employees year-round, not just when the auditor comes knocking. An internal blog, email newsletter, posters, engaging videos, and comprehensive digital training can all be used to successfully build a culture of cybersecurity in an organization.
Security Awareness Training is one of the most cost-efficient ways to reduce the risk of breaches and incidents. Touchstone provides a custom managed solution utilizing best of breed security awareness toolsets. We have the world’s largest library of security awareness training content, including interactive modules, videos, games, posters & newsletters. As you know, the most successful cybersecurity training is multi-modal to account for diverse learning types and engages employees so they retain knowledge and emerge better prepared to respond appropriately to potential threats. Contact Touchstone Security today and help educate your employees on the threats of tomorrow.