Why is security awareness training so essential? In the world of marketing, marketeers talk about something becoming “mainstream” and “crossing the chasm” when that ‘thing’ becomes well-known. I think that we can now firmly state that cybersecurity attacks have ‘crossed the chasm’. If cybercriminals were marketeers, they’d be really good at their job. It is now an unusual person who has not, at some point in the last few years, come across a dodgy email that tells them if they would just give the emailer their bank details they could benefit to the tune of millions of dollars.
Cybersecurity threats are ubiquitous and there seems little evidence that they will abate any time soon, although the threats themselves may change. To give you a flavour of what the average UK business is up against, let’s have a look at some facts and figures.
Ransomware is one of the most sinister of all cybersecurity threats. If you become infected by ransomware, your data will be encrypted, and you won’t be able to access it. You will be offered a decryption key if you pay a ransom but as you are dealing with criminals here, there is no guarantee you will actually get the decryption key. According to Kaspersky, 2016 was the year of ransomware with an attack on a business every 40 seconds (1). In 2017, the world experienced the massive WannaCry attack which hit the NHS badly, effectively closing many hospitals across the UK.
And then there is phishing – the definition of a dodgy email. Phishing and related attacks like SMShing (text message phishing) and spear-phishing (targeted attacks on an individual) are the number one weapon of choice for the cybercriminal. The Anti Phishing Working Group APWG (2) who record phishing activities are finding increasing numbers of phishing attacks. The reason why phishing is so popular amongst cybercriminals is that it works. The technique is based on understanding and manipulating human behaviour. According to Symantec, (3) phishing is also an equal opportunity attack method – the phisher not caring about what industry sector you are in or the size of your organisation.
In fact, the more human-centered the attack is, the more successful it seems to be. Another crime that is hitting the headlines is Business Email Compromise (BEC). In Q1 of 2017, 85% of organisations were targeted by at least one BEC attack (4).
To counter this level of threat we need to use countermeasures and one way to redress the balance is to become aware.
Create a Culture of Security to Build Cybercrime Resistance
The battle for control between companies and cybercriminals is an ongoing one. Much of it is centered around the human element. Being aware of the way that cybercriminals get into our business operations will give a company a head start in managing what otherwise can seem unmanageable.
As we have seen, cybersecurity threats seem to be centered on human behaviour as much as technology. Beating the cybercriminal at their own game means that we have to also place some focus on human behaviour. One way that we can fight back is to create a ‘culture of security’. But what does that mean?
A culture of security starts by making people in your organisation, including board-level, staff, and even third-party vendors, security aware. People like to have routine and awareness is a first step in building a routine around security. Just knowing how a cyber-attack can start will make an individual think about their actions. If you train your employees to spot the signs of a phishing email, they will become accustomed to watching out for the details of these signs. Human beings are natural communicators too – a culture of security awareness means that people will talk about the problems -security will become a meme in your organisation and spread amongst staff and the wider company community.
Security awareness is a self-propagating activity once it has been embraced by an organisation.
Ultimately, when you build a culture of security it puts people centre stage in the fight against cybercrime.
The Why, How, and What, of Security Awareness Training
The why of a culture of security:
To do something well you need to understand why you are doing it. Creating awareness about security and building that culture of security will help prevent cyber incidents and contain threats. According to a UK government survey, 43% of business (across all sectors and sizes) experienced at least one cybersecurity attack in 2017. However, only 27% have any kind of formal security policy to help prevent attacks (5). If this were any other area of a business, we would have a strategy and plan. Sitting down and creating a formal way to deal with a pressing issue like security is a great way to plan a strategy to deal with them. This is the first step in creating awareness of security. But awareness cannot stay within the pages of a policy document. It must become a real everyday exercise. Fortunately, security awareness is something that can be taught.
One of the most interesting notes that came out of the UK government survey mentioned above, is that many organisations have a “fatalistic” attitude towards security in that there is nothing they can do about it so why try. However, a survey by analyst’s Aberdeen Group has shown that using a programme of security awareness training in an organisation can mitigate cybersecurity attacks by as much as 70% (6).
Making security everyone’s business by creating a culture of security, will ultimately make your organisation more secure. Tailoring the training to different departments and employee roles can ensure that training is hitting the right spot. And, having ongoing training also means that if the cybercriminal changes their tactics you are ready to take them on.
The how of a culture of security:
How you actually perform the training is, of course, another matter. The best security awareness training will change human behaviour. Phishing is so successful because it manipulates and takes advantage of normal human responses. For example, many phishing emails will use a sense of urgency in the text “important security update” or “email account will be closed” are typical phrases used in phishing emails to get us to click a link. The link then will take us to the next stage in the phish, usually stealing login credentials or other personal information. To stop our automatic click response, it is important to train people to recognise this instinct. Security awareness training usually has certain elements built into the programme to do just this. These features include phishing simulations which allow your company to set up simulated phishing email campaigns which are then sent to employees. You can also monitor the behaviour patterns to spot how well the training is going – modifying it to improve the training. Good security awareness programmes can also allow you to make the training interesting and fun by using gamification of cyber threats.
The what of a culture of security:
The outcome of a culture of security and awareness training has to be mitigation of cybersecurity threats and a return on investment. Company-wide security awareness adds value because it has been shown to reduce the risk of an attack by 50% (7). If you consider that the average total cost of a cybersecurity breach according to the Ponemon Institute is $3.62 million USD, then every chance to prevent an attack is important. Also playing into the value of a culture of security are data protection regulations including the EU’s General Data Protection Regulation (GDPR). Regulations like GDPR and industry specific ones such as BASEL II in finance set out strict expectations around data protection and privacy. Ensuring your employees are security aware helps to create and maintain a secure environment for data.
Create a Curtain Wall using Security Awareness
The cybersecurity threats that all businesses face are not only complex and sophisticated but they are costly too. Organisations pay the price for a cyber-attack across several fronts, including financial and reputation. An organisation that takes cybersecurity seriously has to engage the entire workforce and beyond in that view. Security awareness training is something that we can all do together to present a united front against the cybercriminal who would do our organisation harm. Our employees, through a culture of security and security awareness training, can be our curtain wall to protect the company castle.