Companies, regardless of their size, are target to cyber-attacks, after all, you simply need to check the news to realize how serious of a problem it has become. According to Varonis, 2021 saw a near 50% increase in the number of weekly attacks compared to 2020, while the average cost of data breaches rose to a 17-year high ($4 million per year) in 2021. What’s very interesting is that, although phishing has been around for at least a few decades, the majority of data breaches are still occurring with phishing at its core. Therefore, all the players within the company must be aware of this and actively participate in the protection of sensitive data within the organization.
Regardless of how good our security technology is or becomes, there will be a percentage of attacks that slip through the technology or bypass the technology entirely. Humans will be your last line of defense in cases where these are not machine-to-machine interactions. Not training employees is therefore unwise and negligent.
How Organizations can Build their Last Line of Defense and Boost their Cybersecurity Postures
Here are some tips that can help security teams build their last line of defense and boost security behavior in their organization.
#1.Instill a behavior change in your employees through a comprehensive cybersecurity awareness training program
Improving the security posture of your organization starts with the establishment of a comprehensive cybersecurity awareness program. Your security awareness program should address the ever important “why.” Why should people care about it? Why would it appeal to them in the first place.
Your security awareness program should encourage your employee’s participation in adopting good practices in cybersecurity including the drafting of an effective data protection policy. Its content may vary depending on your organization’s sector of operation, however, it must be clearly written and understood by all. Employees must be aware of data considered sensitive within the organization and know how to protect it effectively.
Also, instead of traditional classroom exercises, VirtualDoers recommends that employees be subjected to simulated phishing attacks. Simulated phishing attacks have the advantage that they provide a fail-safe environment for your employees and allows them to fully understand the consequences of their actions and form corrective behavior. Repeating such simulations over time creates reflexive behavior in employees that helps them make the right security decisions, no matter the type of distraction. This healthy form of skepticism must be embraced, encouraged, and celebrated at all levels and should serve as an important foundation of the organizational culture and routine.
#2. Ensure that your cybersecurity awareness training program is Kept Relevant
Organizations need to understand that their employees are human and therefore that, different people across the organization have different levels of sensitivity, competency, and security maturity, and therefore businesses must build their programs around it.
There have been stories of organizations imposing sanctions, including suspension, on employees who persistently fail security tests. The question is whether it’s really the people who are at fault. “Both employers and employees are on the same journey; employees rarely actively seek out to harm their organization. If employees are failing tests repeatedly, the best way to consider this is to understand why, so their engagement and related security behaviors can be addressed.
Employees inclined to bad security hygiene habits or who exhibit lower security maturity or competency may need personalized coaching and handholding. Dishing out blame will not work There’s a real danger that, in handing out blame, you could weaken your organization’s security.
Furthermore, Naming and shaming should only be used as last resort. If a serious security situation arises, some blame may be appropriate. There should be a consequence for gross negligence or willful failure to follow policy, but these should be in extremis, not routine.
#3. Put in place an effective Communications and Messaging system
Getting your employees to engage in your cyber-security program requires education and patience. It’s a long-term communication process that you need to take. You can, for example, remind your employees about security rules in the newsletters sent to all employees, put up posters and stickers in common areas or even provide employees with materials that they can freely consult if necessary.
IT security breaches in businesses are often the result of human negligence. It is therefore essential to educate your employees in cybersecurity, with appropriate training and communication for educational purposes.
At VirtualDoers, we can help with all aspects of your security awareness program requirements, tailored training programs through our educational services, email security, security compliance, managed security services and more. Communication/messaging is the visible face of a company, and security teams lack soft skills. A positive tone and attitude go a long way, especially in the context of security training. As mentioned earlier, be extra cautious in avoiding shaming employees if they fail a test. The entire process must be healthy, transparent, and thought-provoking. Security staff must ensure they have processes in place that encourage employees to reach out without fear of being reprimanded.
#4. Be Honest About Your Goals and What the Culture Will Tolerate
Be honest and transparent about your goals to the wider organization. Use metrics where possible to highlight the current state of security and expected security outcomes. Also, security awareness training never occurs in a cultural vacuum. Get key stakeholders and senior management onboard since culture is typically driven from the top down. Stress goals repeatedly because behavior change cannot be sustained without constant reinforcement. Measure things (before and after) so that you can report them and tell people about the success of the program. Start by giving them a sense of purpose and reinforce that with a sense of achievement; people feel good when you start bringing them quantifiable numbers, and you start showing them how well they’re doing.
#5. Give Your Last Line of Defense Tools to Succeed
Provide employees tools to be successful. Studies show that when employees are provided with a simple “phish alert” button, employees are able to report phishing emails with a high degree of accuracy. Similarly, having a security hotline in place can help immensely because users are hesitant to report phishing activity due to lack of transparency in the IT process and a lack of swift responses from security teams. Some simulation tools even provide visual cues like social engineering indicators or red flags that guide employees on what they could’ve done better once they have been successfully phished.
It’s time to step up our game. Unfortunately, even when organizations implement a security awareness training program, they fail to do so as effectively as possible for a variety of reasons, but, primarily because they haven’t successfully bridged the gap between awareness and caring or the gap between knowing and doing. As an industry, we can do better, and we certainly have a lot to gain by doing so.