Most companies’ single greatest cyber vulnerability is its workforce. Phishing represents the most common hacking technique. Don’t neglect to train and regularly test your employees on the cybersecurity front.
Organizations often think about cyber defenses in terms of hardware upgrades, software updates and cybersecurity tools. Boards want something tangible when they allocate resources. But the truth is that people are by far the weakest link for most companies. Hacking complex systems is a daunting task, and there’s simply no need when threat actors can directly target employees and use social engineering techniques to persuade them to bypass security measures.
These kinds of attacks are alarmingly common. As many as 27 percent of businesses report weekly breaches or attacks, according to recent research from the U.K.’s Department for Digital, Culture, Media and Sport (DCMS). The DCMS also found that the most common threat vector by far was phishing, which accounted for 83 percent of those attacks. For organizations to overcome this threat, it’s crucial to prioritize proper training and testing of the workforce.
Traditional Approaches Are Failing
The pandemic has exposed and exacerbated existing issues by accelerating the rise of remote working. Traditional approaches such as employee monitoring have become more challenging to deploy – and less effective. Managing a rapidly growing list of endpoints, trying to keep software patched and restricting access to networks has never been more difficult.
With limited resources, some form of triage is needed to help prioritization. This process starts with an in-depth risk assessment. What are the main threat vectors facing your organization? Conduct an autopsy on any breaches or incidents that have occurred. Factor in the importance of particular systems and data to identify the most likely security scenarios that would have the most disastrous impact if they came about.
Security Awareness Training and Testing
There’s an opportunity to enlist the help of employees in maintaining a high level of security, but they must be thoroughly briefed about the kinds of threats they face and precisely what they should do when facing a suspected attack. All security awareness training programs are not created equal. It takes thought and careful planning to craft truly effective training materials.
- Training must be fun and engaging if you expect employees to put real effort into it.
- It must be relevant to particular roles, with examples that employees are likely to encounter in their daily work.
- Cater to the shifting landscape and update training based on emerging threats and incidents that occur.
- Model the behavior you want to encourage and reward employees who nail it.
It’s vital to follow training with regular testing to measure its effectiveness. Mock phishing exercises make it clear instantly whether employees are up to speed and capable of spotting an attempted attack. Not only do they reveal who may fall victim to an attack, but they also highlight how often suspected phishing emails go unreported. Despite the value of mock phishing exercises, the DCMS found that only 20 percent of companies currently test their staff.
Building a Case for Adoption
Tightening the security performance of employees is challenging and it takes time. Compared to the acquisition of a new software tool, the benefit may not be as readily apparent. That’s why it’s so important to paint a picture for the board to secure buy-in. You can do this in several ways, but a mock phishing campaign is a great place to start to learn where your workforce is and create a baseline to measure improvements against.
Analyze previous breaches and security incidents and try to identify the root causes. Drill down into the expense and disruption that can be caused by a single successful targeted phishing attack. When you weigh the potential costs of a major data breach, proper security awareness training and testing starts to look relatively cheap.
Fostering a Security Culture
Raising awareness isn’t an end in itself. Training employees to have better security hygiene should be followed up with clear policies and tools for reporting. Testing is crucial to gauge whether your training program is effective. The idea of building a security culture can seem vague, but at heart, it’s about making security part of every conversation and making everyone responsible.
Training and testing are also complementary activities, not replacements for firewalls, VPNs and vulnerability scanning. By bringing your staff on board and showing that your organization values security, you encourage them to make improvements in their departments, raise standards and squeeze more value from the tools and procedures you have in place.
Ultimately, it could not be clearer that hackers see people as low-hanging fruit. As long as they continue to target employees, the most effective response is to do likewise and arm your workforce with the knowledge, processes and tools it needs to fight back.
The best defense against social engineering attacks? Teach people to spot them, make it easy for them to report anything suspicious and reward the behavior you want to see.
KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, is used by more than 37,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Kevin Mitnick, an internationally recognized cybersecurity specialist and KnowBe4’s Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organizations rely on KnowBe4 to mobilize their end users as the last line of defense.