The task of securing the enterprise network is no longer the exclusive responsibility of the Chief Information Security Officer (CISO) and the cybersecurity professionals. Everyone has a role to play from the CEO to the least person in the organization.
It is imperative to train the workforce on the ever-evolving cyber threat landscape that is peculiar to the organization. The expansion of companies’ devices to Bring Your Own Device (BYOD) has further increased the risk exposure of most organizations.
Therefore, expecting cybersecurity professionals to be superheroes in the event of a cyber attack will be wishful thinking if the workforce is not trained on the basics of cybersecurity. While the security team spends the most time patching, monitoring, and responding to threats, untrained users can water down all the efforts in a split second by ignorantly clicking on spurious links.
Most sequences of attacks begin with an endpoint device. When an adversary compromises one device like a tablet, BYOD phone or laptop, the adversary has initial access to the entire network. He can escalate the process to maintain his foothold and possibly escalate his permissions and privileges to launch further attacks on your organization.
Implementing comprehensive security awareness training is non-negotiable for the 21st century business considering the sophistication of attacks perpetrated through social engineering, ransomware and spear phishing attacks that target end users and employees via email.
Highlighted below are five (5) out of many reasons your organization should implement a comprehensive security awareness training program for all employees.
Reasons for security training:
End users will know the patterns of threats
According to IBM’s Cybersecurity Intelligence index, 95% of cybersecurity breaches are caused by human error. Comprehensive cybersecurity training helps all employees to be up to date with the threat landscape facing the organization. It equips the workforce with the tool to recognize and detect the pattern of a potential attack when it is instigated through phishing mail or other means of social engineering.
End users know how to respond to threats
Beyond identifying the pattern of threats, cybersecurity training empowers the workforce to respond adequately to an attack. In a report published by Varonis, (a US-based data security and analytics company) 56% of Americans do not know what steps to take in the event of a data breach. The content of the training program should be explicit by enumerating the steps to be taken by the employee when faced with a potential attack. For instance, on receipt of a phishing mail, an employee should know what actions to take to report the phishing email or contact the relevant response team.
It is a compliance requirement
With the increasing sophistication and complexity of social engineering tactics, cybersecurity awareness training has become a major compliance requirement stipulated in frameworks by most industry regulators including, NIST, IEC, ISA, ISO, HIPPA, PCI-DSS etc. For organizations to satisfactorily pass compliance audits, evidence of workforce training on cybersecurity awareness must be provided else, this may lead to a Less Than Satisfactory (LTS) audit.
With Phishing, everyone is a target
Hackers are no respecters of ranks. They often target the weakest link to perpetrate their objectives. A malicious actor would rather spend a few minutes crafting a convincing spear-phishing email than spend several months researching a zero-day vulnerability. Every employee must be equipped with baseline cybersecurity awareness training to detect, proactively respond to and recover from a potential attack. It only takes a compromise through an end device (user) to gain access to the network. Once this is achieved through a weak link in the network, other tactics can be utilized to escalate the privilege and maintain access.
The benefits of security training outweigh the cost
The initial and refresher training of employees comes at a cost to the organization. However, the cost of a single breach can be more expensive. Studies have shown that security-related risks are reduced by up to 70% when organizations invest in cybersecurity awareness training. The average cost of a data breach is $3.86 million as of 2020 according to IBM. With a prediction that worldwide cybercrime costs will hit $6 trillion annually by 2021, ransomware damage costs will rise to $20 billion by 2021 and a business will fall victim to a ransomware attack every 11 seconds at a time (cybersecurity ventures). Considering this information, would your organization rather not invest in a comprehensive cybersecurity awareness training program to reduce the risk?
In conclusion, one of the best strategies you can adopt to protect your business and organization from malicious actors and prevent breaches is to implement a comprehensive security awareness training program. It should not be a one-off event to check the box, refresher training must be incorporated as well. The training should be interactive, engaging and robust containing relevant topics like phishing, physical security principles, ransomware, email compromise and the prevailing user-oriented attack methods. The frequency of training can be adjusted to fit the needs of the organization or based on insights derived from relevant metrics.
Your first line of defense against a cyber attack are often your employees. When they are well trained, they know the best strategies to prevent, respond to, and recover from an attack. Investment in cybersecurity awareness training may appear costly, but the cumulative end result to an organization is much more gainful.
Cybersecurity expert shares insights on Industry challenges, solutions
and then