Security awareness is grossly undervalued by most organizations. While large sums of money are spent on carefully designed infrastructure bolstered by software and services and maintained by talented security experts, a comparatively small portion of the cybersecurity budget is used to educate employees. We know that breaches can begin with successful phishing emails and stolen credentials, these attack vectors don’t get the attention they deserve.
A security team can sink an infinite amount of time and resources into strengthening your infrastructure, but it’s all for nothing if a default password is used by an exec, or someone in HR makes the mistake of responding to a clever phishing message.
Cybercriminals will always find the path of least resistance and for most organizations the easiest way in is through the people.
Hackers Are Winning
From organized cybercriminal gangs to corporate spies, from mercenaries for hire to state-sponsored hacking groups, there are a lot of bad actors out there determined to break through your defenses. The security professionals working to keep networks safe are badly outnumbered. For the most part, security teams are working in isolation with limited intelligence sharing, while hackers broadcast vulnerabilities and sell exploitation tools like ransomware kits on the dark web.
Confidence is understandably low. 61% of board members think hackers are more sophisticated than software developers, according to an RSM survey of 600 business leaders, which also found that 60% believe they may have been breached without their knowledge.
The business world is failing to cooperate as successfully as the criminal syndicates. Security is not getting the attention and support it needs from the board.
Security is Not Valued Equally by Everyone
Too many organizations focus on productivity levels, or prize product and service releases above everything else. Boards are failing to recognize the vital role security can play in realizing business goals. To make matters worse, many companies exacerbate security incidents by failing to deal with them in a decisive or timely way.
While the last couple of years show a disturbing increase in breaches, according to HackNotice analysis reported by Security Week, official breach notifications have declined by around 25%, with just 13.5% of notices now coming from official channels. This may be an indication that some organizations are trying to game the reporting laws to reduce the potential impact for lost customer confidence, lawsuit risk, brand reputation and share price.
Stolen data and vulnerability reports are primarily being leaked by hackers on the dark web. Many companies are scrambling to mitigate before they report incidents to minimize business impact. They will often claim that there’s no indication of data exfiltration when a breach has occurred, but that’s far from a guarantee that sensitive data has not been stolen. All too often, security teams are compartmentalized, but they can’t do a thorough job in isolation.
Building Security Awareness
Cybercriminals and other bad actors have tested a wide variety of approaches and a high volume of attacks enables them to identify the strategies that work. When you have stringent and robust network protection, the easiest way in is to persuade someone with access to let you in. Rather than trying to break down brick walls, you trick an insider into handing you a key. The only way to effectively combat this is by building security awareness across the workforce. Security should not the sole domain of a special team, it should be built into the foundation of everything you do.
Attackers are constantly evolving and sharing intelligence, so you need a continuous system of education that encourages heightened awareness of the risks and rewards the behavior you want to see. Training on security procedures and how to spot the signs of a phishing attempt must be regular and backed up with real-world examples. Measure the effectiveness of your training with security drills and imitative phishing campaigns. Not only will this help you identify weak spots and hone your training programs, but it also enables you to assess efficacy.
Reframing the Importance of Security
Many boards prefer tangible assets or services designed to boost security because they want to see a clear return on their investment. The benefits of security awareness training can be harder to quantify, so always measure your progress. The potential impact of security breaches is an important specter to raise, but you must also show the business benefits that come from valuing security more highly.
A strong security culture reduces the risk of breaches and helps you identify and address incidents swiftly and effectively. It helps you to decide secure products and services, eliminating the need for costly and technically difficult retrofitting of security standards. Factor in the reputational bonus that comes from compliance to certain security standards because it can help you forge new partnerships and win new business.
You can build real resilience when your workforce has a high awareness of potential threats, a clear picture of how to respond to suspected incidents, and an understanding of the business value of security.