We have written in previous articles about the importance of cybersecurity measures for home-based workers and the massive increase in targeted attacks since the start of the COVID-19 lockdown.
As with many things in life, prevention is better than cure and this applies in cybersecurity as much as it does anywhere else.
Technology measures such as anti-virus and anti-spam, as well as other endpoint security protection software are all excellent and highly advisable measures to take against the ever-present threat of malicious intrusion.
Yet there’s another measure that every business, large or small, in any sector – as well as any public sector organisation – can take to prevent malware infection.
Think of the familiar proverb: “Give a man a fish and you feed him for a day. Teach him how to fish and you feed him for his lifetime.”
For IT and cybersecurity we can say “Give your employees security software and it will prevent and remediate malware attacks. Teach them what to look out for, and they’ll help prevent attacks before they occur.”
By training your employees how to be vigilant by showing them what threats actually look like and teaching them the steps to take when they see them, you add a further layer of security to your fight against the cybercriminals.
Why exactly is security awareness training needed?
We’ve all seen email phishing scams.
Whether they’re telling us we’ve received a package, won a prize, need to check our account details or that there’s an African prince wanting to flee his kingdom who just needs a bank account where he can temporarily place $2 million (if you’d only send him the details to make the transfer), these scams persist in plaguing millions of office workers.
Why? Because they continue to work. And because to launch malware or ransomware requires just a single person.
It only needs a 0.000001 success rate to the 1 million emails sent, one gullible or careless individual, for a hacker to gain access to password credentials, infiltrate into a network and locate and steal personal or financial data.
What’s more, hackers and their tactics are becoming more sophisticated. Today, they are learning to target high level, yet unsuspecting individuals whose focus is on doing a good job, whose loyalty to the organisation is high, and yet who are still gullible.
As more and more organisations migrate their systems to the cloud, and trend towards home-based and remote working continues to grow (largely accelerated by the COVID-19 crisis) research suggests that as much as 33% of cyberattack incidents could be caused by phishing or social engineering techniques.
It’s not just endpoints themselves that are vulnerable in these cases.
The cloud infrastructure used by home-based workers (for email storage, document and filesharing, even line of business applications) is also highly vulnerable.
According to a recent report, nearly 90% of data breaches suffered by small-to-medium sized businesses were down to some form of human error. It’s similar story with corporate size businesses. The cost can be astronomical – potentially driving a business to breaking point.
The benefits of security awareness training
As its name suggests, providing security awareness training to employees can add another layer of security to your existing defences. Benefits include:
1. Human factor cyber risk reduction
By training employees firstly to be suspicious and vigilant in their everyday email and online behaviours, then how to identify potentially rogue emails, especially when working at home, organisations can reduce the risks of human factor, companies can significantly reduce the likelihood of this type of attack succeeding.
2. Consistent cross-organisational awareness
Organisations that methodically train staff in cybersecurity awareness, including making sure that the onboarding process for new employees also encompasses this training, can help with compliance regulations, and potentially with insurance.
3. Reduce IT resource load
By marshalling employees in the fight against cybercrime, organisations can potentially reduce the risk of breaches – resulting in time savings for stretched IT and security teams.
4. Incident response streamlining
Part of the security awareness training’s purpose is to ensure employees know what to do in the instance that an unfolding attack, for example as ransomware spreads across a network. First steps in these cases can be crucially important in mitigating impacts in the early stages of an attack.
5. Minimising consequences
By harnessing the workforce in a joint effort to minimise security risk, organisations stand to lose less time due to IT disruption, prevent data leakage and protect brand reputation. The costs – both physical and resultant – of a data breach can be devastating.
What does security awareness training consist of?
Remembering the goal, to provide an additional level of defence in your cybersecurity armoury, the aim of security awareness training is to change employee behaviour.
This is no easy undertaking, particularly as it involves addressing embedded, habitual practices which may be difficult to shift.
In order to bring about a change in consciousness, awareness and approach to the way emails are viewed and handled requires sustained educational training.
Security awareness courses typically involve both theoretical and hands-on training:
- Education: different forms of attack and what they look like
- Demonstrations: of scams such as social engineering, phishing and ransomware
- Consequences: employees should know what consequences for them, customers and the organisation may be
- Practical elements
- Testing exercises such as phishing tests
- Ongoing training: ensuring employees remain aware of evolving threat landscape and security measures
Back to the start of this piece, we said that ‘prevention is better than cure’ and this is certainly true of cybersecurity.
Turning into a shared responsibility across the organisation requires all employees to buy-in, change attitudes and shift behaviours – as well as accepting that it is their personal and contractual duty.
Contact us to discuss scoping and rolling out your phishing simulation campaign across your organisation either on a standalone basis or as part of a wider security awareness testing and training programme for your employees.
Contact us for more information on 0800 292 2100.