This post first appeared on Risk Management Magazine. Read the original article.
An organization is only as strong as its weakest link and when it comes to cybersecurity, employees are that weak link—and, in turn, a prime target. While technology plays an essential role in any organization’s defense, it does not stop employees from making basic security mistakes. In its Cost of Cyber Crime Study, Accenture found the average cost of cybercrime in the United States reached $21.22 million per organization last year, compared to $17.26 million the year before. What’s more, according to the most recent Verizon Data Breach Investigations Report, 90% of successful breaches start with user errors.
Not only can cyberattacks cost a lot, they also take a lot of IT manpower to resolve and restore systems. To minimize financial and productivity losses and improve the overall security of the enterprise, many organizations increasingly recognize employees as their first line of defense and seek opportunities to continuously strengthen their security savvy—their human firewall.
Unfortunately, many employees simply do not know their role in helping to keep their cyberorganization secure and the impact they can have, both positive and negative. Many organizations also do not have the proper measures in place to provide employees with comprehensive and continuous awareness education.
The Importance of Cyber-Awareness
Cyber-awareness may be ingrained in your IT team, but it is not something the average person is usually focused on. However, an employee’s online behavior directly impacts their employer’s business. For example:
- What employees say and do on social media can easily be tracked by cybercriminals for spearphishing attacks.
- Working remotely using an unsecure Wi-Fi connection leaves computers vulnerable to man-in-the middle interception of credentials and data, among other attacks.
- Using personal, unsecured devices to do work can easily facilitate compromising an organization’s network.
While cautions about the risks of insecure Wi-Fi or devices are common, many do not recognize other problematic employee behavior, such as risky personal social media practices, and their potentially negative impact on a business. Consider this example: An assistant to a company’s CEO is an avid cyclist who regularly posts about races on social media and frequently purchases biking gear online. The assistant decides to participate in an upcoming race and publicizes her involvement. While at work the following week, she receives a message to her personal email account prompting her to “view photos from this past weekend’s race!” The assistant clicks the link and, just like that, unknowingly infects the entire organization’s systems.
This is not to suggest that scare tactics are the way to go, but such clear, real-life examples can illustrate and remind everyone that cybercriminals are easily able to track the average user’s online activity, use that information and make them their next easy target.
Training Is an Ongoing Process
It is imperative that you consider user education or security awareness training that not only lets you test your employees’ attentiveness to cybersecurity, but also its effectiveness at reducing user errors over time. As in a high-risk work environment—such as a factory or warehouse that reiterates safety training monthly, weekly or even daily—an organization’s cybersecurity awareness training does not start and end with one crash course. Embedding security into your organization’s culture takes time and should be repeated often. Even trained employees can slip up and fall for a social engineering trick from time to time.
For example, earlier this year, the Financial Services Information Sharing and Analysis Center (FS-ISAC) reported that one of its employees fell victim to a phishing scam. The attacker compromised the employee’s credentials and used them to access a document that contained a link to a credential-harvesting site that then sent an email from the employee’s address to members, affiliates and employees.
As this incident illustrates, phishing attacks can be difficult for any user to spot, making it critical that training and awareness efforts be an ongoing process, not a one-time deal. Indeed, following this security mishap, the president and CEO of FS-ISAC noted that, while all his staff members participate in regular security awareness training and testing, there is always a need to fill security education gaps.
Essential Components of an Employee Awareness Program
The sheer number of breaches have led organizations in several industries, such as financial services and health care, to require annual user awareness training. These particularly vulnerable segments recognize that the threat landscape is growing and users cannot keep up without continuous education.
By investing in ongoing awareness and education training and ensuring that people, processes and technology are all harnessed effectively together, organizations have a much better chance of stopping breaches, infections and relentless attacks by cybercriminals.
Depending on the specific industry you are in and the size of your business, the design of a strong program may differ based on your needs, but several key components will strengthen any awareness and education efforts. A comprehensive employee awareness program should include the following elements:
- Raise awareness: Consider starting your security awareness program with an all-employee email announcing the motivation and intention of the program. Coupling the announcement with the results of a recently run phishing simulation test can be a particularly strong way to get everyone’s attention.
- Develop engaging content: Engage your users with interactive courses that help them feel like they are learning something valuable and not just clicking through some screens because it is required of them. Quality interactive and even entertaining content will help increase attention and create a better user experience.
- Test and measure: Phishing simulations are a great way to raise awareness of a huge risk while simultaneously monitoring user response and continually testing the organization. They will also help identify high-risk employees who need additional, more targeted training.
- Report results: Your reports should show activity from the training in a manner that demonstrates the value to stakeholders as it relates to overall business goals, while at the same time measuring progress and return on investment.