How proper training can turn employees into your best security asset
Cybersecurity has become a major focus for business leaders today and rightly so with the number of major data breaches on the rise. Just look at the spike in breaches reported to the U.S. Department of Health and Human Services (HHS) in the first half of 2021. From 700 million records leaked by LinkedIn to Android seeing data for more than 100 million of its users exposed by mobile app developers, businesses have come under fire this year by bad actors looking to make bank. The threat to today’s businesses is very real but employees can be a business’s best security resource if properly trained.
According to Garner, a leading computer trends analyst, “People impact security outcomes much more than any technology, policy, or process. People play an undeniable role in an organization’s overall security and risk posture. This role is defined by both inherent strengths and weaknesses: People’s ability to learn and their capacity for error.”
The Human Factor
Human error leads to breaches all the time. Whether an unsuspecting employee in your business clicks on a phishing link that exposes your entire network to a malicious virus or someone misplaces a phone, tablet, or laptop with unsecured access to proprietary data, human error can lead to big security problems. The fact is that 95 percent of security breaches occur due to human error, according to cybersecurity trends posted by TechBuddys.
Study after study shows the largest threat to any business, by far, is the people who work there. The 2021 Data Breach Investigations Report by Verizon shows malicious employees were responsible for 265 incidents within the study and 222 had confirmed data disclosures. In addition, the same report revealed human error was responsible for miscellaneous errors that led to confirmed data disclosures more than 97 percent of the time. The data disclosed due to simple human error ranged from personal data to medical records, banking data, and personal credentials.
“Humans make mistakes, often at scale,” according to the Verizon report.
Though these types of statistics show the desperate need for ongoing, repetitive, and engaging cybersecurity awareness training, many business leaders have continued to fail to see its importance and value.
To fortify the human factor when it comes to your business security, you must educate your employees on an ongoing basis. They need cybersecurity awareness training that covers everything from phishing and social engineering to weak network security and compromised passwords. This is especially true for your remote workforce that are often even more easily exposed to attacks.
Terrible Training Stats
Employees should be the first layer of security for every business but the fact of the matter is they have become the largest threat to business security today in major part due to a lack of proper cybersecurity awareness training. A June 2020 survey by TalentLMS and Kenna Security demonstrates that despite how important cybersecurity awareness training is, only 69 percent of respondents reported having had employer-sponsored cybersecurity training. Of those who said they had such training, 61 percent failed a basic cybersecurity quiz. Of those that failed the quiz, 60 percent reported feeling safe from threats. Talk about overconfidence!
It was also telling that only 17 percent of employees working in information services passed the cybersecurity quiz while 57 percent of healthcare employees were able to pass the same test. The good news is that 59 percent of employees surveyed by TalentLMS reported having received cybersecurity training in response to the rise in remote work as a result of the COVID-19 pandemic.
Why Training is Imperative
As mentioned earlier, breaches among businesses of all sizes are on the rise, and the costs to remediate such attacks are also increasing. The FBI reported an increase in exposed losses of $3.5 billion in 2019 to $4.2 billion in 2020 in its Internet Crime Report 2020. Additionally, the Cost of a Data Breach Report 2021 by IBM reported a 10 percent increase in the average cost of a breach just between 2020 and 2021. That is the largest single-year cost increase in the last seven years!
The same IBM report also showed remote work was a factor when it came to breaches.
“The average cost was $1.07 million higher in breaches where remote work was a factor in causing the breach, compared to those where remote work was not a factor,” according to the Cost of a Data Breach Report 2021 by IBM. “The percentage of companies where remote work as a factor in the breach was 17.5 percent. Additionally, organizations that had more than 50 percent of the workforce working remotely took 58 days longer to identify and contain breaches than those with 50 percent or less working remotely.”
The 2020 Data Breach Investigations Report by Verizon shows 86 percent of breaches were found to be financially motivated and 10 percent were motivated by espionage. Of the breaches that occurred, Verizon reported 45 percent of breaches featured hacking, 17 percent involved malware, and 22 percent involved phishing. These are all topics that should be covered in cybersecurity training so employees learn what to look for and how to avoid falling victim to such tactics.
The Law Has Changed
In 2018, when we originally penned this blog, cybersecurity training was a recommendation we at ORAM Corporate Advisors made to our clients. Now it’s no longer a recommendation but the law in many places. This is especially true in Massachusetts where ORAM is based. Many other states such as California and New York now also require cybersecurity awareness training as part of their written information security plan (WISP).
With this in mind, the primary goal of cybersecurity awareness training is to change the behavior of your employees so they are less susceptible to social engineering: Being manipulated, influenced, or deceived by someone to take action that isn’t in the best interest of your business. Some of the most common examples of social engineering attacks include phishing or spear-phishing by phone, email, postal service, or direct contact in order to trick people into doing something that will harm your company. You have the power to stop this by incorporating cybersecurity awareness training into your business before it’s too late.
When to Train?
The most effective cybersecurity awareness training programs are ongoing. The first training for every employee should occur during the onboarding process. Thereafter, there should be frequent training opportunities and reminders, even if they are brief such as a once-a-month, computer-based training that only takes a few minutes.
Every employee should be offered deeper training annually to update them on the latest threats to businesses in their industry and remind them of what they can do to help prevent attacks. There should also be additional training whenever a potential threat is identified or a cyber incident has occurred within the company so there are no repeat events.
What Should Be Covered?
One of the best ways companies can mitigate their cybersecurity risk is through proper training. The wrong way to approach training is as a once-a-year or semi-annual exercise where everyone is gathered for training involving a long, boring PowerPoint presentation. This can feel more like a punishment for your busy employees rather than a valuable learning opportunity.
Not only should training be consistent with frequent, easy-to-follow training sessions, but it should also vary by topic and address the particular access to valuable data each employee has due to their individual role. Not everyone learns in the same way and not everyone needs to learn the same material.
Offer training aimed at specific roles taking into consideration how much access each has to valuable data and how they are most likely to be targeted by hackers. By offering interactive, role-based training in small, digestible portions with greater frequency, your employees will see it as valuable and easier to implement.
There should also be an emphasis on defeating social engineering attacks such as phishing emails that could lead to network-wide disasters. The aforementioned Verizon report determined that while 78 percent of people don’t click on a single phishing campaign all year, an average of four percent of targets in any given phishing campaign will click it. Even more astonishing, it was found that the more phishing emails someone has clicked, the more likely they are to do so again.
Assess for Success
Cybersecurity training should also be assessed with frequent, short quizzes through training and reinforced through pen testing. This ensures employees absorb the valuable lessons being taught so they can act as the business’s first line of cyber defense.
How to Train
One of the most effective and more commonly used methods of cybersecurity awareness training being utilized by businesses today is interactive, computer-based training. This makes training readily available for all employees whether they are working in the office or remotely. It wields modern technology such as laptops, tablets, smartphones, and Internet of Things (IoT) devices to engage your employees in learning about the invaluable role they play in protecting your business.
“Showing a trainee how to recognize that out of nearly 20 types of files an email attachment could come in, the only one that is absolutely safe to open is a file ending in .txt can be a security game-changer,” according to the whitepaper How to Fortify Your Organization’s Last Layer of Security- Your Employees. “Providing short, three- or four-question quizzes at regular intervals during a training module helps employees review and reinforce their understanding of particular training elements and can increase their trust in the impact the course is having and motivate them to complete it, thanks to congratulatory messages after each quiz.”
At the end of the day, human beings can become your best means of defense only when the proper security awareness training is employed. It can show them how they may be susceptible to phishing, social engineering, and credential loss, and that they can defeat such threats. Proper cybersecurity training also demonstrates that you are willing to invest in your employees as much as you are in the technology they utilize each and every day. With such insight and education, your employees will feel empowered to protect the business you all are working so hard for.
ORAM has software to provide top-notch employee cybersecurity training. Call ORAM Corporate Advisors today at (617) 933-5060 for assistance with developing and implementing an effective cybersecurity awareness training program for your business.