It’s a big world out there, and cybercriminals know you don’t have time for everything. A common fallacy is that they’re lurking in dark basements, bending their brands to maximum capacity to create highly sophisticated exploits that blow any current security system out of the water. More often than not, they’re not.
Criminal hackers go after the low hanging fruit and try the easy road before taking the hard one. All too often, that easy road is us. The Verizon 2022 Data Breach Investigations Report notes that 82% of all breaches involve the human element, and that’s us messing up when we should have known better. Thanks to security awareness training programs, we can.
Not to be underestimated, locking down security awareness across your enterprise can shut a huge door hackers use to get in. While it may seem like “soft skills” to some security hardliners, the data shows that improvements in this area can have huge, exponential results.
Underestimate Security Awareness at Your Own Risk
Simple security hygiene mistakes are the first thing hackers exploit because they’re the last thing we think to mind. Those simple slip-ups are where the trouble comes through, and it happens all the time.
Take social media for example. Online impersonations were the top social media threat in Q4 of last year, and a general lack of security acuity is why. Consider the facts:
- There were 19% more social media attacks against organizations in Q4 2022 than Q4 2021
- Impersonation was the top threat vector, raking in over 36% of the traffic
- Cyber threat (34%) and Fraud (28%) followed
Impersonation was such a hot pick because it’s so easy to do. It doesn’t take much to scalp a few logos and spin up a fake Twitter account under a company’s name. From there, you can advertise “sales” or masquerade as one of the company’s executives, leading innocent users towards ultimate credential compromise or financial fraud in the process. This hardly ends well. A bit of security awareness training could teach users to avoid these kinds of mistakes, spot the tell-tale signs, and keep their names (and company data) safe.
To support an overall security awareness boost, the President and Congress instituted March as National Cybersecurity Awareness Month back in 2004. Right for its time, it’s become even more relevant as the years have gone on. Sophisticated cybercriminals are still out there, but by and large, the increase in as-a-Service exploits hints that there’s another, less savvy, group that’s incredibly active. That group goes for the low-hanging fruit, the simple mistakes, the things that lead to 82% of breaches and that could be drastically reduced with a little “soft-skills” training.
Security awareness training is one of the best kept secrets of shoring up a zero-trust strategy. It patches the holes in the boat before you spend a ton of money on fancy new fixes that will ultimately sink. The best-in-business rely on it and make it part of their security necessities.
Take the following two examples.
Case Study 1: 42% of University Students in Anti-Phishing Training
In an environment where everyone understands the implications of a failing grade, it’s no surprise that many pushed back when their Canadian university wanted to implement mandatory security training. Faculty and staff feared the repercussions of not passing the simulation, and departments rejected phishing training en masse for fear that they would make students afraid to open any email at all.
However, when cybersecurity goals are integral to meeting 20-year institutional objectives, the need for some sort of security education becomes evident. Faculty and students had been receiving higher-than-average amounts of phishing emails and the school wanted to create an environment of awareness that could make each user a stopping point against attacks.
Partnering with Fortra’s Terranova Security, this school developed a voluntary security training campaign with an initial goal of 5% participation. By presenting principles in a low-stress, learning-only environment, participants were able to engage with modules geared towards users of all technical backgrounds. This reduced the fear of failure or judgement and lead to honest outcomes.
Using the Terranova Security Awareness Program, the university was able to manage and track their training initiative, meeting their desired 5% participation rate. They had planned on gradually increasing the rate to 15%, but the launch of their initial campaign created such momentum that on last report there were 17,000 out of 40,000 students reached: a total of 42%.
The real indicator of success may be beyond the numbers. Security awareness is a state of mind, and students at this particular institution now have a new topic to throw around: Says the university CISO, “They call me Mr. Phishing. They see me and say, ‘you didn’t get me this time!’”
Case Study 2: Manufacturers Get Onboard with Cybersecurity
As the previous case study showed, the end result of a job well done where security awareness training is concerned, is more security awareness. One manufacturing company managed to integrate training so successfully among a decentralized, multi-lingual workforce that the workers found themselves slipping into safe practices at home: Now that’s an indicator of success.
This private manufacturing business had employees across several different countries and security awareness training was always an issue. Found mostly in English-only modules (with few translations), previous solutions failed to give them the coverage they needed.
“The number one goal was to increase employee involvement. Being able to offer the courses in languages each team member understood added value,” noted one Information Security Manager at the company.
For this they turned to Fortra’s Terranova Security. They not only got real-time phishing scenarios, but access to a comprehensive library full of training materials developed in different languages. With this, they were finally able to design a security program that reached company-wide and included pre-training baselines, monitoring within a learning management platform, and metric tracking through customized phishing tests and quizzes.
However, security training that sticks also involves a long-term plan, which is why the company leveraged Terranova Security professional services to get them started on the Information Security 5-Step Framework and establish a routine way of testing users, every time.
The result? Adoption across all sectors of the business, “from people working in the warehouse to the CEO” as one Information Security Manager put it, and an eventual 80% participation rate.
But were they learning anything? The stats indicate so: Phishing click-through rates decreased from nearly four in ten to under 15%, and the number of suspicious emails reported shot up from only 25 to over 500 per year.
Case in point: If you’ve heard others say security awareness training “doesn’t do much,” they probably weren’t using the right one.
What a World-Class Security Awareness Program Looks Like
While all security awareness trainings arguably do something, it’s a fact that they’re not all created alike. There are several components that set a best-in-class security awareness program apart from all the rest.
- Engaging. People won’t learn if they don’t listen, and they won’t listen if it doesn’t hold their interest. Keeping things light, informative, and entertaining goes miles for user retention.
- Gamified. Passive listening is turned into proactive learning when people are asked to solve puzzles, so gamifying real-world scenarios put users at the center of the action and test their real-world knowledge.
- Metrics-driven. As much as awareness training seems like a “soft sport”, results are measured in more than anecdotes. The best programs provide in-depth reporting and analytics on a centralized dashboard.
- Cutting-edge. You want your security awareness training provider to be on the edge of every malicious advancement and be constantly updating its material, so your teams stay ahead of the latest threats.
- Year-around. Effective programs build in the expectation that security awareness is a continual event. Because threats are constantly evolving, it has to be.
Source: Terranova Security