Cyber security awareness and staff training: What is it and how does it work best?
There is an old saying in cybersecurity that says man is the weakest link in the security chain. This is increasingly the case as threat agents compete with each other over how to exploit gullible or careless employees.
"But you can turn this weak link into a first line of defense," says Phil Muncaster of the ESET team.
The key is to implement an effective cybersecurity awareness and education program.
According to a relevant research, 82% of the data breaches studied in 2021 involve the "human element". Given the landscape of modern cyber threats, it is expected that employees will be the number one target for attacks. "But give them the knowledge they need to spot the warning signs of an attack and understand when and how they can compromise sensitive data, and there is a huge chance that the risk will be reduced," he said.
Table of Contents
What is cybersecurity awareness training?
The word "awareness" may not accurately describe exactly what IT security professionals want to achieve with training programs. In fact, their goal is to change attitudes through education about where the key cyber threats lie and what simple best practices can mitigate the risk.
The goal of this process is to empower employees to make the right decisions about cybersecurity risks. Therefore, it can be considered as a fundamental pillar for organizations that want to create a security-by-design corporate culture.
Why is safety awareness training necessary?
Like any training program, the goal is to enhance the individual's skills to become better at their job. In this case, improving safety will not only help the individual to cope with various roles, but will also reduce the risk of a potentially harmful breach of safety.
The truth is that corporate users are at the heart of every organization. If they fall victim to a violation, then the body can also fall victim to a violation. Similarly, access to sensitive data and IT systems increases the risk of accidents that could also adversely affect the company.
There are several trends that highlight the urgent need for security training programs:
Passwords: Static credentials have been around since the advent of computer systems. And despite the calls of security experts all these years, they remain the most popular method of user authentication. The reason is simple: people know instinctively how to use passwords. The challenge is that they are also a huge target for hackers. If they manage to trick an employee into handing over their passwords or if they can guess those passwords, then often there is nothing else that stands in the way of full access to the company's network.
It is estimated that more than half of all employees in the United States write their passwords on paper. Bad password practices open the door to hackers. And as the number of credentials that employees need to remember increases, so does the likelihood of misuse.
Social engineering: We humans are social creatures. This makes us vulnerable to persuasion. We want to believe in the stories they tell us and in the person who tells them. This is why social engineering works so well: the use of persuasive techniques, such as time pressure and malice, to deceive the victim and force him to carry out his orders. The social machine method is applicable, for example, to a phishing message, a text message (smishing) or a phone call (vishing), but it is also used in business e-mail breach (BEC) attacks and other scams.
The "professionalization" of cybercrime: Threat operators today have a sophisticated and sophisticated underground network of dark websites through which they buy and sell data and services - everything from web hosting to ransomware-as-a-service. It is said that the turnover of cybercrime amounts to trillions. This "professionalization" of cybercrime has naturally led malicious agents to focus their efforts on where the return on investment is highest. In many cases, this means that they are targeting the users themselves: company employees and consumers.
Hybrid work: Workers who work from home are considered to be more likely to click on phishing links and engage in dangerous behaviors, such as using work equipment for personal use. Therefore, the emergence of a new era of hybrid work has opened the door to attacks on corporate users when they are most vulnerable. Not to mention the fact that home networks and computers may be less well protected than their corporate counterparts.
Why is education important?
Ultimately, a serious breach of security, whether from a third party attack or accidental disclosure of data, could result in significant financial loss and damage to the company's reputation. A recent study found that 20% of businesses that suffered such a breach almost went bankrupt. Another study claims that the average cost of a data breach worldwide is now higher than ever: over $ 4,2 million.
It's not just a cost estimate for employers. Many regulations, such as HIPAA, PCI DSS, and Sarbanes-Oxley (SOX), require compliant organizations to conduct safety awareness training programs.
How to make training programs work
We explained the "why", but what about the "how"? Information Systems Security Officers (CISOs) should start with an introductory discussion with the human resources department, which typically manages corporate training programs. May be able to give advice or offer coordinated support.
Among the topics that could be covered by the training could be:
- Social engineering and phishing / vishing / smishing
- Accidental disclosure of information via email
- Internet protection (secure search and use of public Wi-Fi)
- Best password practices and multi-factor authentication
- Safe remote and home work
- How to detect internal threats
Above all, keep in mind that the courses should be:
• Fun and game-like (think positive reinforcement instead of fear-based messages).
• Be based on real world simulation exercises
• To be held at regular intervals throughout the year, in the form of short courses (10-15 minutes)
• Include all staff members, including executives, part-time employees and contract workers
• Be able to produce results that can be used to tailor programs to individual needs
• Adapt to suit different roles
Once all of this has been decided, it is important to find the right training provider. The good news is that there are many options on the internet at various prices, including free tools. ESET's Phil Muncaster concludes: "Given the current landscape of threats, inaction is not an option."