Cybersecurity threats have taken on a life of their own. It is no longer a case of if but when your organisation will be involved in a cybersecurity incident.
2018, was a bad year for cybercrime. Last year, 6.1 million data records were stolen per day. Small business was as much, if not more, a target for cybercrimes than enterprises, with 58 percent of small organisations being infected by malware. The cybercrime landscape is complex too. New types of computing such as Cloud and mobile and the increasing use of the Internet of Things (IoT), connect not only our businesses but the cybercriminals too.
Damaging security threats such as ransomware and phishing, that use social engineering to trick us, are being updated with new problems including cryptojacking. And, then there is the new challenge of “Deep Fakes” which are being used to trick users into believing that a phone call really is the Inland Revenue, etc.
Fighting this level of complexity is not easy. Security awareness training is a way to achieve a level of knowledge that gives you control over security threats – but how effective is this type of training?
Security Awareness Training – The Facts
Before we begin, here is a recap of what security awareness training is.
If you choose to make your staff aware about security, you can opt to use a specialist training package. This will teach your staff about security across the board. The training will encompass everything from understanding how cybercriminals target users to how to spot if an email is real or phishing for data and login credentials. A great security awareness training package will provide this in an engaging and interactive way. But does it work? Let’s have a look at the evidence.
Do my staff really need cyber security training?
Let’s put it this way. Phishing is the number one way in which malware, like ransomware, is delivered. In fact, Symantec found that a staggering 92.4 percent of malware is delivered as an attachment in a malicious email.
Mobile and voice phishing are also increasing, year on year. Phishing campaigns are becoming more complicated too. Campaigns like Dark Caracal, use spear phishing to get users to download spoof apps that appear to be legitimate (e.g. WhatsApp was spoofed in the campaign). The installed apps contain trojans, a type of malware, which typically steals data and login credentials. Campaigns like Dark Caracal place the user as central in the attack. Without being able to actively co-opt the user in the attack, the cybercriminal would fail in their endeavour.
The book “Information Security and Employee Behaviour” by Angus McIlwraith found that up to 75% of security incidents stemmed from a lack of knowledge by staff.
Removing the central component of an attack, e.g. the user, by educating them to spot an attack, is as important as any technology in thwarting cybercrime.
What happens when we don’t educate our staff about cybersecurity?
Cybercriminals take advantage of our natural human behaviour. By doing so, they have made phishing the most successful of cyber-attack methods. One of the reasons that we, as individuals, can be tricked by cybercriminals, is because our awareness of security is poor. In a RiskIQ report, they found that poor security awareness is putting consumers at risk of data and identity theft. This poor security awareness also enters the workplace.
Last year, 76 percent of companies reported being a victim of a phishing attack. Verizon showed that 30 percent of phishing emails are opened and 12 percent of them are activated, i.e. the links are clicked on or the attachments opened.
For mobile users, it is even worse. In studies, users clicking on mobile phishing links has increased by 85 percent since 2011.
Understanding of secure password use is still poor. A report by LastPass on password hygiene found that, on average, an employee will share a password with 6 other co-workers. The same report found that half of our employees use the same password for personal accounts as they do for work accounts.
What happens when we do educate our staff about cybersecurity using security awareness training?
If cybersecurity attacks depend on manipulating human behaviour, then that behaviour needs to either change or be called out. In a research report by The Aberdeen Group, they found that by using security awareness training you can reduce the risk of socially engineered cyber threats by up to 70 percent. However, Aberdeen emphasise the importance of ongoing training to counter the ever-changing methods used by cybercriminals to target organisations.
These sorts of results are repeated by a number of studies including one by Osterman Research which found that security awareness training resulted in more confident employees and reduced click-throughs in phishing emails.
The UK Government’s National Cyber Security Centre (NCSC) recommends a layered approach to preventing phishing attacks which includes training your employees in how to spot a malicious email, social post or mobile message.
And, last but not least, a number of regulatory frameworks and laws either recommend or require your organisation carries out security awareness training; this includes, ISO 27001 and the General Data Protection Regulation (GDPR).
And then there are the intangible results. Those that can only be qualified over time. Security awareness training gives people confidence to use technology. We are getting to a stage where we are frightened to open an email in case it infects our company with ransomware. If staff know how to spot the signs of a phishing email, they will feel less stressed by the digital environment they work in.
Taking the Plunge and Using Security Awareness Training
Cybersecurity threat reduction has come down to an us vs. them problem. Many modern cyber threats use our own behaviour as part of the attack method. This behaviour needs to be changed to turn the tables on the cybercriminal. We have to use our best defence, our people, to help us protect our castle.
By using a fun, engaging, and effective security awareness training program we can make sure our organisation and its people are prepared.
Let the Defence Works help your business avoid cyber security breaches – sign up for a free security awareness training demo, today.