26 Apr Is Security Awareness Training Truly Effective?
Last month, DefensePoint Security, a Virginia-based government cybersecurity contractor, announced its employees’ W-2 tax data had been compromised. But the company wasn’t hit with a sophisticated hack. It turns out that someone inside the company fell victim to one of the oldest cybersecurity ruses, a phishing email. Phishing has also fueled the rise of ransomware, with thousands of business facing the decision whether “to pay or not to pay,” thanks to an unwary employee—even a CEO—getting caught in the phisher’s net.
If it can happen to a cybersecurity company, it can happen to yours. Since the weakest link in information security is almost always the human link, the best defense against a serious data breach is a cybersecurity aware culture across the entire organization. Security Awareness Training is the key to creating that culture, from the executive team to every member of the organization.
Making Security Awareness Training a Financial Priority
Most companies struggle with aligning the stated priority of training with their willingness to spend money on it. In a recent study by The Nemertes Research Group, they found that “employee awareness and insider threat” is the second-most-critical issue cited by participants. Yet when it comes to what firms are actually spending money on, security training ranks a distant fifth, with just 10% citing it as a budgeting priority, after analytics, threat detection and intelligence, monitoring, and endpoint security.
This misalignment is the primary reason that cases like DefensePoint’s still occur. Even sophisticated companies can pay lip service to training, while failing to invest in it.
Comprehensive Programs that Combines Training and Phishing Simulation Work
Most security awareness programs are superficial at best. They may include some sensible actions, but they don’t dovetail into a coordinated and comprehensive program. What is missing is an appreciation of the adversary organizations face and the degree of commitment an organization must have to mitigate risk. It is vital that the C-suite comes to terms with the extent of the threat and the sheer weight of resources the enemy is bringing to bear against naive employees. Only by doing so is it possible for C-level executives to comprehend the measures that must be taken to secure the enterprise and the vital necessity of erecting a human firewall of informed and ever-vigilant users.
Training on its own, typically once a year, isn’t enough. Simulated phishing of personnel on its own doesn’t work. But the combination of traditional training and simulated phishing can greatly increase effectiveness. An important best practice is to intelligently integrate these components into an overall awareness campaign.
Even when testing confirms that phishing susceptibility has fallen to nominal levels, a continued effort to test employees to determine if security awareness training remains effective. The bad guys are always changing the rules, adjusting their tactics and upgrading their technologies. Therefore, training reinforcement must remain a part of the organizational security arsenal to keep pace with constantly evolving threats.
It is obvious that information security must be significantly improved on all fronts. Organizations must seek out and adopt the latest methods available to keep one step ahead of ever more resourceful cyber-criminal. However, many of the budget dollars spent on such programs will be wasted unless it is supported by a Security Awareness Training program that includes frequent simulated, randomized phishing attacks. The consequences of failing to do so go well beyond bad headlines. The estimated financial loss from 700 million compromised records in 2015 was $400 million, according to Verizon. One well-publicized data breach can lead to lost jobs (including that of the CEO, CIO and CISO), rising legal costs, non-compliance penalties, loss of brand reputation, customer churn, and a major hit on the bottom line.