The 2022 Data Breach Investigation Report (DBIR) from Verizon has found that 82% of data breaches include a human element. Rather than hacking their way into a corporate network, cybercriminals use the easy way in by tricking an employee into handing over login credentials. A recent survey found that 81% of FTSE 100 companies had at least one login credential exposed on a dark web marketplace, with 42% of these organizations having over 500 credentials stolen and up for grabs on the dark web.
Cybercriminals use tactics such as social engineering and phishing to trick employees. To counterbalance this, an organization can turn its employees into cyber-superstars by using security awareness training to empower them to fight cyber threats.
How to give your employees cyber-superpowers
Security awareness training has been developed because the nature of cyber-attacks moved from a technology hack to hacking the human operator. Because technology use is now so closely tied to the identity of the operator, by focusing on exposing and hijacking that identity, a cybercriminal can gain access rights. The people who make up a business are its weakest link as they are a way into a corporate network and apps. However, these same people, empowered through security awareness training, can also achieve cyber-superpowers.
Security awareness training is a program of events and activities that educate a broad range of people who make up an organization. The training is usually delivered to employees, contractors, third-party vendors, and business partners. Effective security awareness training will act as an integral, human-centric layer to protect corporate IT resources and data.
In addition, security awareness training is often a requirement of data protection regulations and standards such as ISO27001; the Health Insurance Portability and Accountability Act (HIPAA) in its Privacy Rule 45 CFR §164.530, mandates that all employees go through security awareness training.
One of the core achievements of effective security awareness training is to create a ‘culture of security' in an organization. This translates to ensuring that everyone across the board understands the implications of their behavior and actions on the security of their workplace.
Security awareness training typically includes:
- Security awareness modules: a series of courses, videos, and quizzes to test and evaluate staff security know-how and level of understanding. Advanced systems use gamification across course modules to engage the videos and quizzes. Gamification is part of Game-based Learning Theory that shows people learn best when they do so through experiences, such as games.
- Phishing simulation exercises: automated, simulated phishing attacks that use the same tactics as real phishing messages. Phishing simulation platforms should be able to deliver tailored phishing simulations based on employee roles and general cover-all phishing messages. Increasingly, cybercriminals are focusing on roles such as those with privileged access rights.
These practical sessions are backed up by reporting and experiential input to optimize learning.
What security awareness training is not is a one-off event. Because cybercriminals are eventful, they change their tactics regularly. Training should reflect this and, therefore, should be carried out regularly.
Three ways to make security awareness training effective
Not all security awareness training courses are equal. Therefore, finding a program that suits your company's needs is essential. However, three critical components of security awareness training that are a must-have to ensure successful learning experiences are:
Behavior-driven security awareness training
Everyone is different, and behavior matters in de-risking security. Poor security behavior increases the risk level of an organization. For example, password hygiene, such as sharing or reusing passwords, can lead to unauthorized account access. This behavior is widespread, as evidenced by a Google survey that found 52% of people reuse passwords for multiple accounts and 13% for all accounts. Sharing passwords with colleagues is another critical area of security behavior that needs to be addressed during security awareness training. A SurveyMonkey survey found that 34% of U.S. adults admitted to sharing passwords or accounts with coworkers. Using a security awareness training program that places behavior at the core of its education, you can more easily tailor the content to the individual.
Behavior-driven security awareness training focuses on high-risk actions and attitudes to change them from negative to positive.
There is little point in attempting to change poor security behavior unless the individual understands what, why, and how of their actions. Security awareness training platforms should be able to intervene and offer help when an employee carries out a high-risk security behavior, for example, clicking on the link in a simulated phishing email. Training programs with built-in real-time intervention sequences will ensure that the trainee is shown the error they made, what it could lead to, and how to prevent it from happening again. This real-time in-training intervention develops mental pathways that help the user learn and understand. This leads to long-term behavioral change.
Metrics and reporting
Feedback on how training is progressing provides two key elements that are important for an effective training program:
Metrics on how individuals respond to the training, for example, how many users have clicked on a simulated phishing link, allow an organization to adjust and optimize the training. Individualized behavior-driven security awareness training provides progression at the individual level. This granularity level ensures that each person's specific needs are accommodated.
Metrics are used to generate reports that show how the training is progressing. Mapped to cyber-attack metrics in an organization, the training metrics can be used to develop a Return on Investment (ROI) analysis for management and the board.
Empowering staff and tackling cybercrime
Our employees are the first line of defense in a world where cybercriminals focus their efforts on manipulating our staff. A company can turn its staff into empowered cybercrime fighters using behavior-driven security awareness training and simulated phishing exercises.