Every week the technology landscape evolves a new vulnerability or form of attack that makes a mockery of the billions invested annually in cybersecurity. Businesses and governments work tirelessly and spend like Midas to build state-of-the-art defences, and still the breaches come.
Investing in proven security technology is necessary, but it’s only the beginning. The biggest vectors of attack are beyond the reach of network monitoring because they live inside the human mind: carelessness, curiosity, apathy, and negligence.
Staff, managers, vendors and partners have access to company systems, and as such are the first to be exposed to security risks. That doesn’t mean your employees are bad – it means they’re human. It also makes them your first and last line of cyber defence.
When the malware is people-based
An IBM study found that 60% of all attacks were carried out, or enabled by, people inside the organisation. Of those, 25 per cent involved malicious intent and 25 per cent we caused by negligence. Malicious or careless, the role that insiders play in triggering breaches is significant. If cyber attacks are going to be stopped or mitigated, technological deterrents need to be balanced with people-centric defences. And that means training.
There are five reasons why security awareness training should be your next cyber investment:
The insider threat is bigger than you think
According to the Ponemon Institute, security breaches caused by insiders cost the average business as much as £6.9 million per year — more than twice the average cost of all breaches. Freedom of Information requests sent to the UK Information Commissioner’s Office show that employee error caused 88 per cent of all breach incidents reported over the last two years.
It enlists all levels of the organisation in the same fight
Security awareness training puts staff and management on the same page when it comes to IT security and the security-aware behaviours they need to adopt as a group. When everyone is exposed to the same training it breaks down silos in terms of the awareness that different departments’ and pay grades have in terms of day-to-day threats and how to recognise them.
Compliance may soon require it
Organisations could find themselves pushed into a regular programme of staff cybersecurity awarenness training by regulators. At the moment this is mainly a US trend, but as the EU continues to evaluate the effectiveness of GDPR on the ground, regulations like those recently enacted by the New York State Department of Financial Services could become a model for the UK. It requires every business under its mandate to deliver regular security awareness training to all employees.
If we think about training as a strictly-based classroom exercise then the time, resource and price associated with it can look expensive. The fact is, cybersecurity training budgets are undercapitalised – and not just in comparison to spending on hardware and software. That the lack of investment in quality training shows up in the sheer volume of breaches that continue to be caused by insiders.
It’s getting better
Many classroom-based training programmes lack the flexibility and convenience organisations need – particularly when the requirement for cyber risk upskilling can change so quickly. As e-learning and video courses continue to grow in popularity, the options for training are expanding. Online security awareness training can be delivered quickly, and in bite-sized modules that focus on real-world scenarios and maximising the impact of teachable moments.
In today’s cybersecurity environment, threats are evolving at a rate comparable to Moore’s Law, with technology forever playing catch-up to the creativity and tenacity of highly-motivated bad actors.
It may be the case that cyber risks can never be fully eliminated or perfectly managed through technical defences alone. It’s safest to start from the working assumption that you will experience a breach at some point. Training staff to recognise a breach while being sensitised to the risks that cause them, is the best way to stop them or minimise their impact.
Want to learn more about empowering your employees’ security defences? Why not sign up for a free demo and find out how we’re already helping organisations just like yours.