Human error plays a big part in many security breaches – more than 90% according to a recent study by the ICO. It is therefore little wonder that organisations are looking at cybersecurity awareness training programmes.
Cybercrime is big business today and no area of the world has been untouched by this growing threat. Every day there are a myriad of headlines to read about the latest cyber-attacks, data breaches and global mayhem that has been inflicted from this. No organisation is immune from the threat of ransomware, phishing or CEO fraud; according to the Ninth Annual Cost of Cybercrime study released by Accenture and the Ponemon Institute the average cost of cybercrime has increased $1.4 million over the past year to $13.0 million. In addition, the average number of security breaches in the last year have also risen by 11%.
With new threats emerging daily, organisations can no longer rely on their technological defences to keep them safe. With cybercriminals using sophisticated social engineering techniques to by-pass defences, all it takes is for one employee to unknowingly click on a malicious link. All organisations and their staff are at risk.
Employees are the first line of defence against cybercrime, and it is vital they are equipped with all the knowledge and skills they need to protect organisations from cyber-attacks. This is where a comprehensive Cybersecurity Awareness Programme comes in, it is the best way to educate staff and create a security-first culture.
How are organisations at risk online?
Quite often attacks on organisations, especially large ones, are planned and calculated. Those who target data, networks and systems often have an express aim to obtain specific information.
Busy employees often don’t have time to learn best practice when it comes to cybersecurity. Those working in departments such as finance, HR and planning usually have intense workloads, so it is important they can work efficiently and quickly without their online safety being compromised in any way.
Often mistakes are made by those who aren’t educated in cybersecurity and can’t spot threats to their data, but even the most educated person in cybersecurity can make mistakes that cause huge data breaches.
Organisations need to look at limiting the risk of human error being a factor in cyber-attacks as much as possible. Two factor authentication can be a solution for staff who reuse static or simple passwords that can be stolen through brute force attacks.
In addition, there are many jobs today that involve sitting at the same desk. It is therefore important to secure your network when you have staff members logging on from multiple devices and locations. They need to get access to their files from anywhere but can’t risk those files being accessed by unauthorised users.
Data is the new oil
The information belonging to organisations is often very precious and well coveted to the right people. Hackers often look for more substantial data than credit card numbers or personal information. It is therefore important that organisations ensure no-one other than authorised users can access private information.
It is also critical that IT staff ensure their colleagues aren’t accessing websites that are compromised from their network. A web filtering system is one way to try to stay on top of sites that could potentially be harmful. The filter will update with sites that have been flagged as dangerous or compromised, and block users from accessing them.
To help employees be more cyber aware, at CyBourn we believe that a successful cyber awareness program should address the following 3 areas:
1. Identify and Mitigate Risks
When creating an effective security awareness programme, you should evaluate the threat landscape and identify the top risks. Bombarding employees with the wrong training can often result in information overload. Every organisation has a different threat profile but some of the biggest threats include malware, phishing and poor security practices. Phishing attempts is behind at least 71% of all cyber-attacks worldwide, with the common denominator behind these attacks being human error.
Taking time to identify the risks each organisation faces will help with shaping the delivery, messaging, and effective targeting of a successful cybersecurity awareness program.
2. Change the behaviour of employees
Training methods have changed dramatically in the last ten years or so. With organisations no longer restricted to classroom-based training or tick-box one day course to demonstrate cybersecurity compliance, the scope for online training is much larger than before.
For any training programme to be successful employees need to be fully engaged with it to understand what is required of them and the importance of their role in the security of their organisation. The best way to achieve this is through a comprehensive training programme that makes good use of videos, realistic scenarios, quizzes, policies, and real-world phishing simulation tests.
3. Test the effectiveness of Training
At the very start of a cybersecurity awareness program organisations should conduct an initial baseline assessment to see where their risks lie. Once this has been conducted, regular phishing email simulations can be rolled out to find out just how much the department is susceptible to fraudulent phishing emails. What is more, it will be possible to identify any staff who need additional training. Having controlled simulation tests will help recognise avoid and report potential threats that could threaten the security of the department. Employees should be able to report potential threats if they have clicked on something they shouldn’t have without fear.
Determining if a cybersecurity awareness program is effective is the key to its success, and any organisation will need to track the metrics that come from the program and act accordingly. Having a detailed reporting structure will provide specific information on participation and engagement and help to assess the individual progress of individual employees or specific departments.
With 1 in 3 UK based businesses falling victim to a cybersecurity breach or attack in the last 12 months, and with 4 out of 5 of those being directly attributed to human error, cybersecurity awareness training is now more vital than ever. Every organisation should consider implementing a robust cybersecurity awareness training programme to limit the risk of human error when it comes to preventing cyber-attacks.
At CyBourn, we have a range of services that can help your cybersecurity awareness programme, giving you full peace of mind when it comes to your cybersecurity posture. We are a global cybersecurity company with a mission to address challenges in technologies and operations in cyberspace. We increase protection by providing forward-thinking transparent services for threat detection, prevention, and response.
To find out more, talk to us today.