“Cybercriminals are aggressively targeting people because sending fraudulent emails, stealing credentials, and uploading malicious attachments to cloud applications is easier and far more profitable than creating an expensive, time-consuming exploit that has a high probability of failure,”
Cybercriminals are effectively viewing your employees as your weakest link in targeted cyber threats. In response, many organizations are engaging their managed I.T. providers to conduct thorough cybersecurity audits in order to understand the current level of risk, as well as implementing consistent staff training. Currently, the data indicates that the circumstances are far from perfect with only 28% of businesses currently running a comprehensive training program more than twice a year.
There are plenty of real-world examples to help you out here. In recent years, you can take your pick of high-profile incidents from LinkedIn, Equifax, Twitter and many more. Tailoring specific examples to particular job roles, departments, and bad habits to plot a clear path between today’s actions and tomorrow’s consequences. The more personalized your delivery, the more users can relate, and the faster behaviour changes.
Cyber-security is no different from any other security – it often comes at the expense of convenience.
Take airport security for example; Travel can be stressful, and no one particularly enjoys the added inconvenience of going through security, taking your laptop out of your bag, and your shoes off, but it’s necessary for the safety of flying.
Cyber-security is no different: Multi-factor authentication, layers of email scanning, security awareness training; All of these add time and potential inconvenience to the speed of operating our businesses.
However, the inconvenience of any particular security measure becomes minor when you consider the alternative – a security or data breach can cause much larger, costlier issues affecting your entire business.
We’ve seen clear evidence of this over the past year, with awareness of key phrases falling, sometimes significantly. In this year’s State of the Phish Report, just over half (53%) of users could correctly define phishing, down from 63% the previous year. Recognition also fell across common terms like malware (down 2%) and smishing (down 8%), and only 36% could correctly define the term Ransomeware.
This highlights the need to keep security awareness training fresh and engaging. It is important to deliver training and education in as many places and formats as possible. The more varied the ways your cybersecurity message is reinforced, the more likely it is to be retained.
In addition, the pandemic put many different pressures on organizations and some may have been forced to de-prioritize employee education programs due to lack of time, resources, revenue, or other factors. During the pandemic, a malicious attack due to human error could have been the final straw for many businesses that were already struggling to stay afloat. There is no better time to place priority on security education, training, and best practices.
Whichever the case may be, it is obvious that it is never safe to assume that your employees will consistently recognize security lingo. This is particularly true if your security awareness training and phishing simulations happen infrequently. Reinforcement is critical to knowledge and skill development; Employees must understand the terminology in order to implement it effectively.
Security training should educate your staff on the motives and methods of common attacks and where they are most likely to encounter them. Most importantly, your employees must understand how they may be manipulated into an action and the potential consequences of taking the bait.
Conducting research into the most attacked people in your organization and the types of attacks they face is important so we are able to deliver training in context with their everyday processes and tasks. Having the proper information allows us to deliver simulations based on real-world examples to help your staff learn how to put their training into action when it matters most.
Making security training competitive and turning it into a game can also aid the process. The gamification of training modules has been shown to increase engagement and motivation, as well as improving attainment scores in testing.
We want to avoid security training and education feeling like a chore. The more enjoyable we can make the experience, the less resistant your staff will be to taking part.