Victims of cyberattacks are in the news nearly every day. These organizations are big and small and represent healthcare, finance and utilities to local government and entertainment.
In their 2016 Cyber Security Intelligence Index, IBM actually found that 60% of all attacks were carried out by insiders, which are employees or others with internal access to an organization’s systems. Of those, three-quarters involved malicious intent and one-quarter involved inadvertent actors. In other words, the role that insiders play in the vulnerability of all organizations is growing.
Security awareness training puts both employees and management on the same page when it comes to IT security and the roles that they play in it. Security awareness training helps organizations to better understand IT governance, how to handle incidents when they do happen, and to respond to customer’s concerns. Most importantly, security awareness training can reduce the impact of a security incident — or help to stop an incident from even happening.
If that isn’t enough to convince you, here are five more reasons why security awareness training should be a priority on your organization’s to-do list for 2018.
1. Social Engineering
Social engineering, where an attacker uses human interaction and other social techniques to compromise information about a system’s users, continues to be the go-to strategy for cyberattackers. An attacker may seem unassuming or even official by posing as a fellow employee, help desk technician, or researcher by phone, email or in person, but in the end, the attacker is able to piece together enough information to infiltrate an organization’s network.
No matter their tactics, social engineering attacks leave far less in terms of a digital trail behind them and often take far less energy to conduct when compared to a technical exploit. These factors combine to make these attacks on your organization’s weakest IT security link — your staff — very appealing for attackers.
Security awareness training can familiarize employees with the techniques commonly used by attackers, including what to look for in unsolicited emails, visits and phone calls. Regular training will help to reinforce this, as well as providing reminders to avoid providing personal or corporate information and what to do when employees suspect the legitimacy of a contact.
2. The Rise of Ransomware
If you have not already heard of or been impacted by ransomware by now, chances are, you will very soon. Malware that holds your network and data hostage is not going anywhere any time soon, especially while the technique continues to be profitable for criminals. Ransomware victims paid more than $2 billion in ransom payments in 2017, up from $1 billion in 2016 according to Bitdefender, but the actual figure is probably much higher because many victims do not report events to help preserve their reputations. In the end, ransomware increase operating costs, decreases productivity and can even threaten lives if police, utilities and healthcare services are attacked.
Security awareness training can help employees to be wary of suspicious links, educate managers and leaders on the value of additional security controls, and help to slow the rapid spread of ransomware throughout a network. According to a McAfee report studying the economic impact of cybercrime, as of February 2018, over 6,000 online marketplaces offered more than 45,000 products with easy options to launch a cyberattack, allowing even novice criminals the ability to launch an attack. Regularly employing security awareness training can help to immunize your organization from the growing threat.
3. Maintaining Compliance
Within the over 8,500 local, state and federal compliance standards that organizations have to comply with, many require security awareness training. From the Payment Card Industry (PCI) Data Security Standards to Sarbanes-Oxley (SOX) and the Health Insurance Portability & Accountability Act (HIPAA), many of the most common standards and laws require organizations to have security awareness programs in place. Often the requirement is as simple as educating employees through posters, memos, meetings and policies, while others, such as CoBIT, the ISO 27001 and 27002 series, and the Federal Information Security Management Act (FISMA) require users of information systems to understand the risks of their work, their role in a security event and their responsibilities to comply with agency policies.
4. Consider It an Investment
Most non-IT executives do not know just how fast and how rampant a cyberattack can be before it is too late, let alone how much of an impact it could have on their bottom line. However, once you are hit with an attack, you will find yourself wondering what could have been done differently.
Instead of spending thousands on scanning, wiping and rebuilding all of your organization’s workstations, servers, and other hardware and just as much in explaining it all to your customers and board of directors, security awareness training can cost far less. While nothing can fully guarantee a negative event will not strike, training can help to reduce the probability of it occurring and its ultimate impact.
There are many pre-packaged and customizable security training programs to choose from to meet your employees’ needs, operating environment and requirements, while others decide to create programs in-house. Whatever you choose, consider the training an investment.
5. Arm Employees to Fight Back
Australia’s Scientific and Industrial Research Organization found that technology, engineering and science is used in 75% of the fastest-growing occupations across the globe, highlighting a trend that is already prevalent in many workplaces in 2018. From digital punch clocks for service employees to teachers managing databases full of student data, the security vulnerabilities appearing in today’s average tasks would have been unheard-of just a decade ago.
Turning a blind eye to the threats that are present from the bottom to the top of your organization chart is no longer an option. Security awareness training arms employees to be the first and last line of defense, multiplying your chances to thwart an attack and enabling staff to understand their role in maintaining the integrity of your organization’s infrastructure.
Simply put, security awareness training is a necessity for any organization. If employees are informed what to watch for, how they can block attempts and where they can turn for help, this alone is worth the investment. While training is not the be-all-end-all, arming your employees to fight back can play a significant role in thwarting future attacks.