Security awareness training is a critical cyber security control and is often an organisation's first line of defence against intrusion attempts. Given that more than 80 percent of data breaches are a result of human error (Verizon Data Breach Report 2021), and as many as 36 percent breaches start with phishing attacks, just creating a culture of greater cyber vigilance in an organisation can cut down the risk of serious attacks significantly.
Often, employees are not aware of the consequences of poor cyber hygiene and what a single click on a malicious link can cost an organisation. According to the Ponemon Intitute and IBM's Cost of a Data Breach report, the average cost of a data breach in 2021 was $4.24 million, up from $3.86 million in 2020. The average time to detect a breach in 2021 was 287 days; each day added to detecting a breach increases the cost for the victim organisation.
Malicious email attachments and phishing links are among the most popular and low-cost methods that hackers use to get into enterprise environments. Threats actors are also increasingly resorting to social engineering initiated on social media platforms, SMS and instant messaging apps, to steal credentials or attempt access to company networks. An unaware employee can easily fall victim to such scams and fraudulent messages and unwittingly start a whole attack chain*.
*Cyber attacks are carried out in multiple steps including reconnaissance, initial access, execution, privilege escalation, command and control, lateral movement, and data exfiltration. Human error is often what leads to an attacker getting initial access to an enterprise environment to carry out much bigger attacks.
A successful training program can only be built if the end goals and desired outcomes are clearly defined. These may include driving behavioural change across the organisation, prioritising security and building a security-first culture, complying with security regulations applicable to your industry, and more – all of which should together reduce overall risk to the organisation. Phishing email click rates, performance on knowledge tests, fraud detection should all be measurable and improve over time.
Training available in multi-channel and multi-format modules is most effective. Learning tracks should be based on the target audience and end goal. Organisations are moving towards shorter modules that include engaging video content delivered on a regular basis, as opposed to once-a-year mandatory training. Frequent short videos and content pieces that can be consumed in under ten minutes keep employees engaged and make sure the message sticks.
A number Security Awareness Computer-Based Training (SACBT) platforms today leverage artificial intelligence and machine learning to understand routine user activity patterns and alert the user immediately after an error is committed. The user may then be directed to a training module that addresses the specific mistake that was made. This kind of interventional training increases the chances of employees remembering what not to do in the future. Consider a platform that features this kind of targeted training to increase training effectiveness.
Different training platforms will include different mechanisms to assign risk scores to user groups, departments or the organisation as a whole based on surveys, questionnaires and phishing simulation results. This enables the vendor to provide targeted training based on existing risk levels, and prioritise remediation for high-risk groups.
Good security training solutions must provide multiple customisation options so that training modules fit specific contexts and work for the user groups they are targeting. This may be based on effective risk scoring or criteria like an employee's role in an organisation, level of access to protected data, admin rights, or performance in past campaigns.
Carefully research the regulatory compliance requirements applicable to your industry to make sure that the training program you choose ticks all the boxes and helps you meet compliance.
Consider getting security awareness training as a managed service if you don't have the resources or knowhow to set up and run an awareness program internally. Even if you already have a Computer-Based Training (CBT) platform, you may need external expertise to help you get value from it. A managed security awareness service will typically include "expertise to help you get started with a security awareness platform, help profile and build learning tracks for different users or groups, and even help with internal communications to build support for your security awareness program. " - Gartner
Some cyber security organisations include security awareness training as part of some of their bigger offerings. Before investing in a new CBT platform, check if any of the security platforms you already use includes an awareness component and if that meets your current needs.
LinearStack offers customisable, outcome-focused security awareness training programs to businesses in New Zealand and Australia. Our experts can set up an ongoing training program for your employees based on your specific needs and user categories, and manage it for you to ensure maximum benefit. We help organisations of all sizes build a security-first culture and reduce cyber risk.
Get in touch with us today:
Phone: 0800 008 795
Email: info@linearstack.co.nz
Website: https://linearstack.co.nz