Burnout is a huge issue for employees. In a recent study from 1Password, 80% of office workers and 84% of security specialists are burned out. And that’s not half of it. Approximately 20% of these burned-out employees believe that the security policies for the companies they work for “aren’t worth the hassle,” which can lead to dangerous territory.
What’s more, is that the attack surface is growing more complex. In August this year, we heard about third-party intrusions at MailChimp, which highlights a persistent trend in threat actors targeting organizations through their vendor partners. This kind of breach serves as a reminder how devastating – and far-reaching – third-party breaches can spread.
Which begs the question: How can companies better protect themselves?
It’s not rhetorical. Risk management is a full-time job for CISOs and CSOs who are constantly bombarded with new ways that attackers are “getting in” and leveraging vulnerabilities for their own nefarious actions. And while technology has brought with it more productivity, greater collaboration, and in some cases, more cost savings, it’s provided a growing attack surface.
One tool in each company’s arsenal that can provide the first line of defense (and arguably also be a huge risk factor) is the role that individual employees play in the protection of company data and systems.
Here’s where employee cyber awareness training comes in.
As security practitioners – whether it’s information security or physical security – we spend a lot of time educating users about risk. How to protect the organization, recover from an attack, and remain aware. But a lot of what we’re doing remains reactive in nature. Part of managing risk is setting the expectation for proactivity from your employees – and your vendors.
Cyber awareness training is a solid first step in creating a proactive approach to protection from your organization. It is the mechanism by which we educate employees about the various cyber threats, how to recognize them, and then implement the steps necessary to protect the company.
Here are some of the benefits of implementing cyber awareness training for your business:
Fostering a security-first culture
Establishing a training program communicates to employees that something is important. Couple this with the fact that in this case, cybersecurity risk is exponentially higher than at any other point in our history, and it becomes clear that it should be important across your organization. And training isn’t the only thing you can do to build a security-first culture. Establishing best practices for remote access, identity management, administrator privileges, and more communicates to employees that the security of the organization is top-of-mind.
Recently, someone in our organization came to me and said she received an email that looked suspicious and reported is as phishing thinking that it was part of our employee training program. Usually when it’s from KnowBe4 (the company we use), when you hit the “Phishing Alert” button in Microsoft Outlook, a pop-up appears that says, “Congratulations! You just passed a test from your employer!” In this case, the notification wasn’t related to the training program and was sent to our internal IT team to determine whether the email was a risk. A short time later, she received an email that said the attempt WAS in fact an outside threat. The fact that she reported it (and that it got through our filters) highlights the need for employees to be trained to spot such attempts.
Employees are empowered to report these kinds of emails when they remain informed about the outcomes – whether they “passed” a test or identified a real-life threat. Being a part of protecting the business helps foster a culture of security.
Centralized training programs can identify the areas where employees are the most at risk of becoming victims of social engineering. That is, the use of deceptive tactics used to get individuals to divulge confidential or personal information that may be used for fraudulent purposes. For example, cybercriminals can pose as company leaders – like your CEO – and ask you to send information via text or provide confidential information under the guise that leadership is requesting it. And the complexity of these attacks is growing.
However, implementing a formalized cyber awareness training program can help an organization identify risks that individuals pose and allow them additional support through ongoing training. One of our clients implementing this kind of program for their employees. When they first implemented it, they experienced a 27% phishing failure rate, which served as a baseline. Within 90 days, they were down to 3%.
Adherence to compliance standards
Depending on the industry you’re in, there are certain regulations that businesses must adhere to and risking non-compliance can land you in hot water. Cyber awareness training might also allow you to save money on your cyber insurance policy, as underwriters are playing a larger role in deciding what companies need to have in place to secure a policy. Whatever the regulatory standards are, implementing training to help employees understand them is a critical piece of the puzzle in fostering a culture of security (and compliance).
While employees can often be the weakest link in a cybersecurity program, they can also be the greatest asset you have to prevent asset loss and compromise. And that can be pretty valuable. According to IBM, the average cost of a data breach increased 2.6% from 2021 to 2022 – to $4.35 million. For small- to medium-sized businesses, a breach can be devastating. Investing time and resources into proactively training employees can mean the difference between being able to invest that money into other projects and improvements for the business, and going out of business.
Ultimately, the goal of an employee cyber awareness program is just that: creating awareness. In this case, what you don’t know truly CAN hurt you. It’s about instilling the confidence employees need to know and understand the “why” we need to operate in a security-first culture, remain vigilant, and properly respond to threats.
Do you know where the risks in your organization are? If not, it might be time for a security review and action plan. Click here to learn more.