People are the Problem
Research by IBM last year found that human error is responsible for 95% of all security incidents.
Blue Coat recently surveyed 814 qualified IT decision makers and practitioners across Europe and the US. All came from organizations with at least 500 employees, and 71% admitted being affected by a successful cyber attack during 2014.
But despite all that, only 22% of information workers are concerned about security at their organization.
Poor security awareness is the single biggest obstacle to defending against cyber attacks. And poor security awareness training is rife.
Why Most Security Awareness Training Sucks… And How To Make Sure Yours Doesn’t
We’ve all experienced bad security awareness training.
The worst I’ve personally encountered was paradoxically whilst working with extremely sensitive client data for an organization boasting over 23,000 employees.
You know the drill. You get an email once a year telling you to go back and complete dry, out-of-date online courses on data protection, email security, and not writing your passwords down on a post-it stuck to your monitor.
So long as you click through the dry, tedious slides, you’ll be left alone for another 12 months.
Now clearly this isn’t a good way to conduct your security awareness training, and there are multiple reasons for that:
- It’s just a box ticking exercise. There’s no buy-in to the notion that security awareness might actually be important. Worse, by taking this lackadaisical approach, you’re effectively telling your employees that they shouldn’t care, either.
- It’s out of date. By their very nature, cyber threats are constantly evolving. New tactics are being employed all the time, and your employees need to know how to deal with them now, not next year.
- There’s no ‘Why’. When it comes to it, nobody is going to care about cyber security just because you say they should. They need to understand why it’s important and what the consequences of being unprepared could be.
If you want your security awareness training to be effective, you need to answer three main questions: Who? Why? And How.
We’ll start with who.
Not All Employees Are Born Equal
It might not please you to hear it, but security awareness training is not ‘one size fits all’.
Of course, there is a bare minimum level of understanding that every employee should have. And when I say everybody, I mean everybody.
For example, maintenance and cleaning staff are often passed over without a thought. After all, they don’t handle any sensitive data, so what’s the point?
The problem is, they have physical access to your buildings, files, and computer systems. If you don’t train them they could easily fall prey to even the most basic of social engineering threats, and the results could be catastrophic.
On the other end of the spectrum, most organizations have plenty of employees whose level of security awareness should be well above the ‘bare minimum’. Senior executives, employees handling sensitive data, and anybody with higher-than-average system privileges should receive more comprehensive training.
Where all your employees might receive basic email, web browsing and password security training, these employees have more advanced needs. High-level executives in particular are likely to be targeted by social engineering and spear phishing attacks and should be prepared to face them.
Finally, there are those employees who hold security-related roles within your organization. These people should hold formal credentials in the field, but they should also be routinely trained on new and trending information/cyber security threats. Some (or all) of them should also be responsible for administering training to the rest of the organization, and helping develop a security-conscious culture.
If this final layer of personnel doesn’t exist in your organization, I highly recommend you either fix that immediately, or outsource your security awareness training altogether.
There simply is no way to produce a quality training plan without one or the other.
What’s The Worst That Could Happen?
Knowing why you need security awareness training is vital, but it’s not for your benefit.
It’s for your employees.
Knowing what might happen if they aren’t prepared for cyber threats is a key ingredient in convincing people to buy-in to your training plan. If they view it as a waste of their time, you can guarantee it will be a waste of yours, not to mention your budget.
According to Ponemon Institute, as of May 2015 the average total cost of a data breach is $3.8 million, up from $3.5 million last year.
Remember that study I mentioned earlier? 71% of respondents admitted their company had been affected by a successful cyber attack in the last year.
Now consider that many of the high profile breaches we’ve read about recently in the papers originated from a single successful spear phishing email.
What’s the worst that could happen? You could cost your company a lot of money.
What To Include in your Security Awareness Training
In the coming weeks we’ll be covering some of the many topics that should be included in your security awareness training. We’ll be looking at what information might be needed at each level of your organization and how you can equip your employees with the knowledge they’ll need to avoid falling victim to the latest cyber threats.
For now, we’ll take a quick look at the main areas for inclusion.
Password Strength. Bad passwords are a major cause of security breaches, but forcing employees to devise a password that conforms to ‘strange’ requirements (e.g. at least 10 characters, must include capitals, lower case and numbers) makes it difficult for them to remember. This leads many to write their passwords down, meaning anybody strolling past their desk could access their account in seconds.
Social Engineering. What happens when electronic systems become too secure for a would-be cyber criminal to crack? They go after the weak link: People.
Social engineering has become extremely prevalent in recent years, largely because it’s completely non-technical. Individuals are targeted in an attempt to trick them into breaking normal security procedures, inadvertently putting their whole organization at risk. This is a vital aspect of any security awareness training plan.
Email Security. Nearly everyone in your organization will have heard of phishing (or spear phishing) attacks, but that doesn’t mean they’re prepared for them. Don’t forget that even cyber security providers fall prey to these scams now and then. And of course we’ll also look at malware and other threats to email security.
Web Browsing & Internet Security. Most organizations apply filters to prevent their employees from accessing dangerous parts of the web, but we can never completely protect our employees. They need to know how to recognize when they’ve wandered off the beaten path, what not to click on, and when to admit they’ve made a mistake.
Social Network Security. Somehow I have never seen this included in a security awareness training plan. Never.
And that’s crazy, because not only can improved awareness help protect your organization, it can help protect your employees in their private lives too. Changing just a few settings can dramatically reduce the chances of being targeted by spear-phishing or social engineering attacks.
Mobile Security. This has become a huge issue in recent years, particularly since the birth of ‘Bring Your Own Device’ (BYOD) policies. Studies have consistently found that employees simply don’t understand the risks involved with using mobile devices for work, and that needs to change if your organization is to remain secure.
Physical Security. However you look at it, physical and cyber security are inexorably linked. The fields share many common principles, and though the specifics may vary, ultimately it’s hard to get away from the fact that physical access to your organization’s IT systems will make a hackers life much, much easier.
Culture is Everything
When all is said and done, the success of your security awareness training plan will come down to one thing: Your employees.
The IT department might take ultimate responsibility for cyber security, but it’s only by working together as an organization that all threats can be successfully defended. Cyber threats are simply evolving too quickly for technical solutions to be 100% effective.
In order to be successful, your training plan must engage employees as well as educate them.
They must understand the why before they’ll be willing to learn the how.