< Return to News <
A whopping 95% of cybersecurity breaches are due to users’ errors. What can organizations do to limit their exposure? It starts with awareness.
Although often vital, corporate training isn’t the most exciting topic. Odds are you don’t regularly hear coworkers proclaim they’re eagerly anticipating an upcoming training session. But the simple fact is continual security awareness training is among the most valuable investments organizations can now make.
Every year, nine out of 10 US businesses become cybersecurity victims, according to an HSB survey reported by Touchstone Security. Corresponding effects are widely reported, including annual cybercrime losses exceeding $3.5 billion. Worryingly, the costs are increasing and attacks are on the rise.
Many of the most damaging IT security incidents are caused by social engineering, spear phishing and ransomware attacks that target individual users. Such threats are becoming more sophisticated. Worse, malicious actors have begun adopting artificial intelligence and machine learning technologies to enhance the likelihood of their efforts succeeding and infiltrating networks, compromising data, corrupting systems and encouraging ransom payments.
Anyone can become a victim. Whether large or small, all organizations are at risk, as are all users, from front-line workers to C-level staff.
While IT departments deploy and maintain endpoint protection, download and install patches and updates and administer firewalls and other technologies designed to protect the organization, those steps aren’t enough. End user education is necessary, too.
Appalachian State University research, supported by laboratory experimental methodology and statistical analyses, confirms the importance of end user training. The corresponding paper, The Impact Of Information Richness On Information Security Awareness Training Effectiveness, notes IT “personnel alone are not effective in stopping security breaches from happening; the security awareness of end users must be improved.”
Another study—The Positive Outcomes Of Information Security Awareness Training In Companies — A Case Study—confirms security “education and awareness is one of the most effective and powerful mechanisms for mitigating information security risks.” The study also emphasizes the importance of continual education, noting “there should also be various ongoing awareness campaigns” due to users’ natural inclination to forget information over time, and advocates displaying posters and using brochures, animated movies and even online quizzes with prizes to help the training prove compelling.
Ultimately, 95 percent of cybersecurity breaches reportedly are due to users’ errors, and 78 percent of users are aware of the risks suspicious message links present but they click on them anyway.
Security awareness training is a cost-efficient and effective method organizations can adopt to battle cybersecurity threats and such behavioral lapses. Proper security training reduces risks, lowers the rate of incidents and provides a framework to help users respond correctly when issues arise.
Many industries require training, anyway. Firms subject to HIPAA, PCI-DSS, NIST, ISO, Sarbanes-Oxley Act and other legislation and regulation all operate with educational compliance requirements.
But to make the most of these efforts, training must be continual and mandatory. Organizations cannot just pay lip service to security awareness training efforts. Instead, the importance of understanding risks, recognizing real-world threats and knowing how to respond must permeate an organization, which must truly invest in such initiatives to make them effective.
Done right, cybersecurity training equips users with the knowledge they need to avoid becoming victims. Subsequently, the organization, as well as its data and systems, become better protected from corruption, theft, compromise and malicious actors.
Fortunately, a variety of security awareness training options exist. In-person and virtual sessions, webinars and self-paced curriculum are all available. To prove effective, security training initiatives must familiarize users with the characteristics of hackers’ attacks, provide examples, assist users in spotting modifications of such threats and even projecting the look and feel of potential future attacks, while providing a framework for proper response, as well, when threats are received or incidents occur.
Numerous organizations offer security awareness training. Leaders, according to one Forrester report, include KnowBe4, CybSafe, InfoSec and Elevate Security.
The Appalachian State University study lists among the critical success factors for effective security awareness training the “relevance, timeliness and consistency of security information in different ways (e.g. newsletter, video, seminar and lecture) so that users receive many different messages.” The study concludes hypermedia–interactive material including graphics, audio, video, plain text and links–is the most effective method of enhancing security awareness levels.
Don’t let uncertainty regarding how to proceed cause delay. An Aberdeen Group report notes even modest investments in security awareness training have a 72 percent likelihood of significantly reducing the business impact of phishing attacks. Yet, the firm’s research reveals 73 percent of firms train users only at the time of hire, on an ad hoc basis or annually.
Just as with so many other phenomena, prevention is far more effective than treatment following an incident. Assisting users in understanding malicious actors’ efforts, identifying attacks, spotting natural evolutions of previous threats and reacting properly all pay significant dividends.
Still have questions or need help implementing or maintaining a security awareness initiative? You can reach a Louisville Geek technology consultant at 502-897-7577 or drop us a line here.