As hackers continue to step up their attacks, every organization should provide employees with regular security awareness training.
Human beings are the weakest link in the cybersecurity chain. Organizations can implement the most sophisticated security tools, but one user clicking on a malicious link or giving up sensitive data can cause a security incident.
That’s why phishing attacks and other forms of social engineering are so prevalent. Cybercriminals know that it’s much easier to trick users into giving them access to the network than to try to defeat advanced security systems.
The sixth annual Data Security Incident Response Report from BakerHostetler confirms this fact. In the law firm’s 2020 report, phishing remained the No. 1 cause of security incidents for the fifth year in a row. More than a third (38 percent) of security incidents originated with a phishing attack.
Many of the latest phishing attacks prey upon the fear and uncertainty surrounding the COVID-19 pandemic. According to a recent report from KnowBe4, hackers were distributing phishing emails with subject lines such as:
- Required to read or complete: “COVID-19 Safety Policy”
- COVID-19 Remote Work Policy Update
- Your team shared “COVID 19 Amendment and Emergency leave pay policy” with you via OneDrive
- Official Quarantine Notice
- COVID-19: Return To Work Guidelines and Requirements
These phishing emails are a significant threat because users are likely to open and act on them.
Security awareness training is the best defense against these kinds of attacks. A well-designed training program can help users spot phishing emails and other threats, significantly reducing the risk that the attack will be successful.
Employees Lack Cybersecurity Awareness
Many employees are unaware of cybersecurity risks, or have misconceptions about what does pose a threat. In the 2020 State of Privacy and Security Awareness Report from Osterman Research and MediaPRO, 19 percent of survey respondents said that clicking on a suspicious link or attachment in an email was unlikely to cause a malware infection. However, 14 percent incorrectly believed that keeping their device too close to another device that was infected with malware could cause their device to become infected.Just 17 percent of survey respondents were very confident they could spot a social engineering attack while 33 percent were unsure.
A security awareness program should give employees the ability to correctly identify phishing, malware and other specific types of threats. It should also ensure that employees’ recognize their responsibility for maintaining the organization’s security posture. While most respondents to the Osterman study were aware of the importance of strong passwords and regular software updates, many users do not follow security best practices consistently.
The training should also outline procedures for reporting a suspected security breach. In a recent Kaspersky study, 40 percent of organizations said that users were likely to hide evidence of a cyberattack. This delays incident response, increasing the damage and the risk of downtime and data loss.
How to Develop a Training Program
In a recent global study, 96 percent of organizations agreed that improvements in security awareness led to a higher level of security in their company. Additionally, 98 percent were convinced that security awareness training made attacks by cybercriminals more difficult.
However, many security awareness programs cover topics that aren’t particularly relevant to employees. Organizations should develop training that focuses on the kinds of threats employees typically encounter in order to maximize its effectiveness.
Security awareness training should also be customized to the specific needs and requirements of the business. For example, many government and industry regulations, including the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA), require security awareness training.
If the organization is required to comply with those regulations, the training should address those mandates and the organization’s related policies and procedures.
Individual employees who violate regulatory requirements due to carelessness or ignorance can bring heavy penalties on their employers while potentially compromising sensitive information.
New employees should receive security awareness training, and there should be ongoing refresher courses for all staff. A recent study by researchers from several German universities found that employees forget much of what they’ve learned after just six months unless training is repeated regularly.
Because effective IT security requires that every employee remain vigilant, organizations should provide their employees with the necessary training to spot cyber threats. Security awareness training is an essential part of any cybersecurity strategy, and is especially important with today’s work-from-home models and pandemic-related threats.