Security awareness training is no longer a “nice-to-have” for organizations. End users have become a critical component of effective security postures. Employees must have a strong understanding of cybersecurity best practices and learn how to detect and defend against targeted attacks. This shift in priority is needed to address an ongoing trend in the larger threat landscape.
Cybercriminals have moved away from complicated, time-consuming technical exploits to concentrate on end users, a large and frequently vulnerable attack surface. Small or large, nearly every attack now begins in the same way: by relentlessly targeting people through email, social networks, and/or cloud and mobile applications.
In a recent study, Proofpoint found that nearly 90 percent of global organizations surveyed were targeted with business email compromise (BEC) and spear phishing attacks in 2019. This reflects threat actors’ increasing focus on highly sophisticated, personally addressed phishing emails that dramatically increase their chances of success.
But there is positive news in the face of these increased attacks. In the same Proofpoint study, 78 percent of information security professionals surveyed said that security awareness training initiatives led to a measurable reduction in phishing susceptibility among their organization’s end users.
The need for a cyber-aware, well-trained workforce has never been clearer. With attackers focusing on users, organizations need to follow suit and take a people-centric approach to cybersecurity.
Security Awareness Training Program Essentials
Because risk and cyber awareness can vary significantly between industries and organizations, there is no true one-size-fits-all security awareness training curriculum. That being said, all organizations will benefit from taking a continuous approach that incorporates the following four components.
1. Identify Risk
The action of identifying risk involves both end-user vulnerabilities and incoming threats that are targeting an organization in general and certain employees in specific. Organizations should focus on three key activities:
- Assessing general cybersecurity knowledge
- Gauging users’ vulnerability to specific phishing lures and themes
- Using threat intelligence to determine the methods attackers are using and the people they are most frequently targeting
2. Change Behavior
The most effective programs blend broad, organization-wide awareness and training activities with more targeted, threat-based education. All employees should have a fundamental knowledge of the actions and behaviors that can improve their cyber hygiene at work and at home. This helps to build a culture of security in which all users have a unified purpose.
3. Reduce Exposure
This action establishes tools and channels employees can use to quickly report suspicious emails and other potentially malicious activities. It also gives security teams the opportunity to identify and address attacks that slip through perimeter defenses—attacks they would otherwise be unaware of. Organizations can engage end users in this important component of people-centric security by:
- Implementing an email reporting tool – In-client buttons allow users to easily forward suspicious emails to response teams with all security information intact.
- Automating analysis and remediation – CISOs should consider solutions that perform real-time analysis of reported emails, prioritize the most dangerous messages, and automatically quarantine or delete active attacks.
- Establishing reporting mechanisms for threats outside of email – Organizations should encourage a “see something, say something” policy related to potentially suspicious activities end users might witness, like unescorted visitors, malicious insider threats and imposter websites.
4. Measure and Adapt
Measurement tools allow organizations to gauge progress, assess ROI, share information with stakeholders and course correct as needed. Baseline simulated phishing failure rates and knowledge assessment results help establish starting points to measure against, and follow-up exercises provide additional insights and the opportunity to test and train end users on emerging threats and issues that are specific to the organization.
Infosec and/or training teams are also likely to be pressed to evaluate the success of security awareness training initiatives. In addition to metrics specifically related to program components, organizations can look to their security teams to gauge improvements in end-user behaviors by tracking these three measurements:
- The number of reported emails by end users – Security teams should see a noticeable uptick in the quantity and quality of reported emails as training progresses.
- Rates of malware infections and successful phishing attacks – Effective security awareness training should lead to decreases in malware infection rates and successful phishing attacks from the wild.
- IT man-hours tied to end-user issues – As users become more educated about threats and risky behaviors, IT and remediation teams should see a reduction in the amount of time spent addressing malware infections and other ramifications of successful cyberattacks.
Security awareness training is integral to developing a successful, people-centric approach to cybersecurity. By following the above recommendations, organizations can ensure their programs are designed to effectively and efficiently prepare employees for attacks that are increasingly targeting them directly.