When we hear the word “cybersecurity” a lot comes to mind — firewalls, antivirus, endpoint protection, email security, web security and much more. But how often do we think or talk about people? This is a central element in cybersecurity that is often ignored.
‘To err is human”— it’s obvious that as humans we often make mistakes. And we can’t be programmed either. As humans, our behavior is largely unpredictable, and failure to account for insider threats can result into costly security incidents.
Insiders Cost Companies Millions
According to a recent survey by the Ponemon Institute, the average cost of insider-caused incidents is $8.76 million — more than twice the $3.86 million global average cost of all breaches in the same year. The 2019 Data Breach Investigations Report (DBIR) also highlights that a third of data breaches (34%) involved internal employees.
Cybersecurity is no longer a technical problem. It’s a people problem. And ensuring that people have the know-how to defend themselves and their organization against threats is a critical component of a robust cybersecurity program.
If the intent of any organization is to comply with regulatory and industry regulations such as FISMA, PCI, HIPAA or SOX, then it must provide security awareness training in order to meet compliance obligations.
Implementing A Robust Security Awareness Program
The end goal of establishing a thorough program is not to meet compliance requirements. The main goal is to prevent loss of sensitive data and the pain and costs that follow a cybersecurity breach.
Here are seven tips to help you put an effective cybersecurity program into place.
1. Evaluate the threat landscape.
Evaluation of your critical assets is usually the first step in developing your wider security awareness program. Such an assessment can be anything from a company-wide cybersecurity questionnaire to a phishing test and use the results to roll out a larger program that can be used to target problem areas that are identified in the assessment.
2. Train employees to recognize a phish.
A recent Microsoft Security Intelligence Report claims a massive 250% increase in phishing attacks from the previous year and indicates that phishing attacks are now, by far, one of the most frequent attack vectors in an organization. Teaching employees to recognize phishing emails and social engineering attacks is fundamental to any security awareness training program.
It’s also important to stress the impact employee actions may have on the organization. Phishing simulators are available in the market that can help pinpoint weak spots in the organization, and it’s a good idea to deliver training to these vulnerable employees via different methods.
3. Get creative with content.
To spark any form of interest in large or small organizations, it is important that your content is engaging. As humans, we are more inclined to remember stories that evoke images. Content that engages our emotions triggers our imagination and motivates us into action. It might also make sense to fine-tune content based on different types of audiences, considering that standard off-the-shelf training may not be suitable for all.
4. Training is a continuous process.
As a security officer, you probably want to set up an ongoing training program. This would mean setting up a curriculum that covers most security threats and keeps security top of mind via a regular cadence of current topics and trends. Training programs can be established at the time of onboarding a new employee, and any time is a good time to post and share mainstream data breach news stories as a way to keep security top of mind.
5. Turn to data to measure effectiveness.
Having a process to measure training and awareness effectiveness is essential. One approach to measuring the impact of training is by counting the number of security incidents that have befallen your organization before you implement your formal training program, and then quarterly afterward.
Another approach to measure awareness can be the comparative volume of security incidents being reported by employees. From a content perspective, one can look at participant rates and class feedback to assess if training content is engaging enough or needs modification.
6. Ensure your program is compliant with regulations.
Regulations like HIPAA, PCI DSS, etc. can help establish best practices and processes that are required by several federal and state regulations. Making sure your program is compliant with these regulations can help heighten your organization’s security effectiveness.
7. Get C-level buy-in.
Any cultural change starts at the top. Getting upper management buy-in ensures increased support from multiple groups. Not only is it a good idea to establish a regular cadence of communications to alert users about security awareness, but it might also be interesting to recruit C-level executives to send out alerts occasionally to emphasize the priority of this cultural change.
To sum up, security awareness training is one of the most effective measures against the menace of growing cybersecurity attacks. By imbibing these tips in your awareness program, you’ll be on your way to helping employees avoid being the weakest link. Instead, employees will be able to recognize potential incoming threats and make the right decisions.
This article was originally posted on Forbes.com. Click here to read >