How effective is a home security alarm system if somebody leaves your front door open? Or a password if you are going to write it on a sticky note and leave it on your desk? Most people would agree that both of these examples show a lack of security awareness and common sense. This is because in the physical world it is rather easy to detect poor security awareness.
Now let’s move to the digital world where criminals persistently target people in order to gain access to computer networks. Why? Nobody really knows but one can safely assume it is for financial gains. According to IBM’s latest annual Cost of a Data Breach study, the average data breach now costs up to $3.92 million when you take into account both the attack and response cost.
Long gone are the days when cybercriminals would spend their efforts on outsmarting networks. Instead, they choose to focus on what they perceive is the weakest link: the end-user. Due to the shift in tactics companies must now rely on end-users in order to have an effective cyber security defense.
Looking for easy targets…
Why would hackers choose to focus their tactics on people and not machines? Well, there are many factors, but it comes down to one thing: convenience. You see hackers are much like gamblers in that they are looking for low-risk high reward opportunities.
Cybersecurity professionals refer to this tactic as social engineering. Social engineering, in the context of information security, is the psychological manipulation of people into performing actions or divulging confidential information.
A recent report showed that the number of successful attacks in 2017 was at 79 percent. That number follows an upward trend. In 2014, only 62 percent of social engineering attacks were successful. It rose to 71 percent in 2015 and then 76 percent a year later.
In case you are thinking your company is immune to this trend here are 10 famous social engineering attacks:
- Shark Tank
- Cabarrus County
- Ethereum Classic
- Democratic Party
- Ubiquiti Networks
- Sony Pictures
- SC Department of Revenue
Even with all the alarming data, not everything is doom and gloom. It turns out that with proper security awareness training & support companies can significantly reduce their cybersecurity risks.
Building a Security Awareness Training Program
Let’s get one thing clear: There is no universal format for security awareness training. Fortunately, there are guidelines and best practices that organizations can incorporate into their customized program. The acronym T.E.A.M is a convenient way to summarize the 4 keys to starting or enhancing a security awareness training program.
4-Keys of T.E.A.M: Team, Empower, Adjust, and Monitor:
Testing is the first step to an effective security awareness program. Like tryouts for a basketball team, testing allows an organization to know its strengths and weakness. With the right support, that information can be the foundation of an effective awareness program.
How can you evaluate the threat landscape and identify top risks? Testing. How can you assess the effectiveness of the measures you have put in place? Testing. How can you be prepared for evolving threats? Yes, you guessed it. Testing.
Key Insight #1: Each organization needs to decide which test is appropriate to their operational needs. Work with your penetration test provider to see what options are available for your organization.
After identifying risks and assessing your cybersecurity posture, it’s time to empower your organization. Successful security awareness programs combine awareness and training with cybersecurity education that is specific to an organization’s threat landscape. This combination helps create a strong culture of security awareness that empowers all users.
Key Insight #2: Be creative about how you involve users by using different methods such as videos, quizzes, and realistic phishing simulations to keep users engaged.
Now that you have a good picture of the threat landscape and engaged users on your team, you are ready to start making adjustments that will reduce exposure. This step requires that you establish tools and outlets that users can use to swiftly report suspicious cyber activities.
While this will require that users adapt to new reporting methods and online behavior it will pay off in the long run and strengthen your organization’s cyber hygiene.
Key Insight #3: Cyber hygiene is a reference to the practices and steps that users of computers and other devices take to maintain system health and improve online security. These practices are often part of a routine to ensure the safety of identity and other details that could be stolen or corrupted.
The “M” in T.E.A.M stands for monitor and to accomplish this step an organization needs measurement tools that allows them to assess progress, collaborate and adjust as needed.
As with the previous steps, there are no universally recognized methods to measure cybersecurity improvements. Thankfully, there are practical ways to gauge the effectiveness and efficiency of the measurements an organization has put in place.
This can be accomplished in various ways but here are three practical points to consider:
- Establish a Baseline: An organization can accomplish this by analyzing simulated phishing failure rates and knowledge assessment results.
- Analyze the data: Ensure that the cybersecurity team is evaluating the progress of the security awareness training program.
- Follow up: You can’t have a baseline without data and data is of little worth without proper follow up. Organizations should rely on their cybersecurity team and partners to measure improvements where it matters most: the end-user.
Key Insight #4: Cybersecurity effectiveness can be calculated by how much time lapses between the detection of a threat and when appropriate action is taken. An organization needs to find an objective method of calculating recovery time.
Starting or enhancing a security awareness training program is an important component of cybersecurity. By using the T.E.A.M. approach, organizations can smartly test their current measures, understand their threats, and empower their employees to overcome the many cybersecurity threats that are coming their way.