With the cost of data breaches rising, organizations are spending a lot of money to improve their cyber defenses and prevent cybercriminals from gaining access to sensitive information and disrupting day-to-day operations.
But in their never-ending effort to combat end-user security risks, IT departments often become blinded by shiny threat detection, malware protection, and network security tools, completely ignoring the fact that humans are often the weakest link in cybersecurity. To address the human element, organizations must find time and resources for user awareness training and give it the priority it deserves.
User awareness training is an education activity whose aim is to teach employees about cybersecurity. It provides employees with the information they need to avoid the many dangers that lurk online, including malware, phishing, man-in-the-middle attacks, eavesdropping attacks, and others.
The importance of user awareness training has increased exponentially in the last decade because employees now face a much broader range of cyber threats than ever before, many of which, such as ransomware, are capable of inflicting massive damage to the entire organization.
User awareness training is typically performed as a comprehensive security awareness program that educates employees about a multitude of cybersecurity-related topics. It may involve mock attack simulations to test and reinforce good behavior, and it can either take place online or in person.
Considering that 31% of organizations are without any user awareness training whatsoever, according to a CybSafe survey, it’s clear that there are many organizations that are still not convinced of the necessity of user awareness training when navigating today’s threat landscape. These organizations are often unaware that over 90 percent of security incidents are connected to human error, as was revealed by a study authored by cybersecurity executive Calvin Nobles, titled “Shifting the Human Factors Paradigm in Cybersecurity.”
According to multiple studies, including the 2018 Verizon Data Breach Investigations report, most successful security breaches start with phishing, which is one of the most easily preventable cyber attacks, involving a fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.
A research co-sponsored by PwC, CSO magazine, the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and the United States Secret Service, called the 2014 US State of Cybercrime Survey, clearly states that companies with a user awareness training strategy have significantly lower losses when a cyber-related event happens than those with no user awareness training strategy whatsoever.
Of course, not all user awareness training strategies are made equal, and some are far more effective than others. “The key is to continually keep security on the top of users' minds," explains Kevin Beaver, an independent security consultant at Principle Logic. “It's all about working together with management, especially HR, to ensure that common-sense security basics become part of the organizational culture. To simply assume that users will always make good choices is to assume that your security program has no flaws.”
With regular user awareness training that includes mock attack simulations, compliance training, and in-depth courses on IT and cybersecurity best practices, organizations can significantly reduce risk, making it far less likely that their reputation will be irreparably damaged by cybercriminals.
Because there are employees who openly violate security policies in virtually every organizations, the questions shouldn’t be whether organizations need to spend time and money on user awareness training. It should be how organizations can make user awareness training an integral part of their broader cybersecurity programs to achieve the best results possible.
When it comes to user awareness training, both quality and quantity are important. Organizations shouldn’t expect their employees to become experts at avoiding cyber threats after just one training session, and they also shouldn’t expect them to be committed to security right from the get-go.
“You need to spark interest, and the content needs to be funny and engaging,” says Lisa Plaggemier, security evangelist at InfoSec Institute. “There are a lot of ways to customize and get the right message to the right person at the right time, but most trainings that are being offered are one-size-fits-all.”
Ideally, organizations should make their user awareness training sessions feel more like marketing campaigns. They should be:
Brief: The human attention span isn’t limitless, and it’s much better to get straight to the point and make sure it really sticks with trainees.
Research-based: Not all employees are likely to face the same risks, which is why organizations should segment them based on their risk profile and customize user awareness training for all key employee groups.
Data-driven: It’s important to make sure that trainees are making progress by conducting mock attack simulations and measuring how employees respond to them.
User awareness training can be managed entirely by the in-house IT department, but it’s also possible to do it online with the help of ready-made user awareness training programs. Online training scales much better than in-person training, and it allows employees to work through the content at their own pace, instead of being forced to visit scheduled classes.
A good user awareness training program should cover phishing, physical security, email and browser security, desktop security, wireless networks, password security, malware, social engineering, mobile security, social media security, and remote working. Because there is so much information to cover, it’s best to take things at a moderate pace and see user awareness training as an ongoing activity, rather than as a one-time undertaking.
To minimize an organization’s attack surface, it’s critical to educate employees on cybersecurity because human error has been found over and over again to be the biggest cause of security incidents. A correctly implemented user awareness training program that’s executed on a regular basis can go a long way in helping employees avoid behaviors that could potentially compromise the entire organization and lead to an irrecoverable data breach.