The cybersecurity skills gap highlights the need for cyber-awareness training

Image by pikisuperstar via Freepik

August 2, 2022

The evolving threat landscape has made protecting digital assets even more difficult for businesses. Over the previous 24 months, this landscape has become far more intense. Ransomware, phishing and other threats all increased dramatically, with ransomware ranking as the top concern for IT and security staff. The percentage of successful breaches involving ransomware has increased to 10%. Phishing was involved in 36% of successful breaches, up from 25% in the previous year, according to the Verizon Data Breach Investigations Report for 2021.

Concurrently, the typical workday has radically changed as a result of the pandemic, with a large increase in remote and hybrid employment. Completely remote workers will constitute 27.7% of the workforce, compared to 20.4% who will be partially remote, the authors of Upwork’s Future Workforce Report 2021: How Remote Work is Changing Businesses Forever conclude.

As a result of these two considerations, cybercriminals are increasingly focused on social engineering, phishing and other tactics aimed at employees, who are often the weakest link in a business’s cybersecurity stance.

The skills gap is directly linked to breaches

We’ve all heard countless times about the persistent lack of cybersecurity talent. Worldwide, 80% of organizations suffered one or more breaches they could attribute to a lack of cybersecurity skills and/or awareness, according to the 2022 Fortinet Cybersecurity Skills Gap Global Research Report.

The report looked at the state of the cybersecurity workforce, including recruitment and retention of cybersecurity talent, the ability to find workers with certified skills, the difficulty of raising security awareness and more. In a world where the threat landscape is bigger than ever, yet 60% of organizations struggle to recruit cybersecurity talent and 52% struggle to retain it, new solutions must be found.

Cyber awareness training needs to be for everyone

While training is certainly not a replacement for skilled cybersecurity professionals, all these statistics underscore the need for increasing general cybersecurity awareness training. It’s high time to face the need to move beyond just relying on cybersecurity professionals within your company and extend cyber hygiene and awareness training to the whole staff.

In today’s world, cybersecurity needs to be part of everyone’s job; every employee has a role to play. Despite the importance of recruiting, retaining and certifying a cybersecurity team, organizations cannot really secure themselves until all employees are cyber-aware. This necessitates ensuring that all employees, at all levels and in all jobs, have the knowledge and awareness necessary to protect themselves and their company’s data. The breach will always be a possibility until they do.

What cyber awareness training should entail

To truly protect their most valuable digital assets and as part of their security strategy, all organizations should implement awareness programs for all workers and users. These programs must be comprehensive and programmatic to be effective in changing employee behavior, resulting in employees who are more cyber-aware and capable of recognizing threats and other risks to their companies.

Yet not all cyber-awareness training effectively changes behavior and integrates your workers into your security strategy. Many businesses keep security awareness training to a bare minimum. Typically, this is a response to some type of demand imposed on their company by a partner or by a governmental or industry compliance framework.

This least-effort approach doesn’t change how employees behave. To change behavior, use a programmatic approach. This approach involves using numerous touch points, formats and tools across the employee’s lifecycle to educate, test and reinforce what they’ve learned.

Ensure all employees are trained to recognize and report suspected malicious cyber activity, practice good cyber hygiene and safeguard their personal devices and home networks. Organizations can build a baseline of defense at the most vulnerable edge of their network by educating individuals — particularly remote workers — on maintaining cyber distance, being wary of suspicious requests, and implementing basic security tools and protocols. This will help keep critical digital resources secure.

Training delivery methods will vary; they may include online learning and workshops with experts, for instance. Choose the methods that work best for your organization’s size and particular needs.

Train to gain

Attacks are being developed by cybercriminals at unprecedented speed. They continue to take advantage of hybrid workers’ and IT’s growing attack surface. They’re also employing advanced persistent cybercrime tactics that are more harmful and unpredictable than previous methods.

That includes targeting your employees. It may seem overly simplistic to discuss cyber hygiene, yet the dearth of consistent cyber hygiene is the most serious and persistent issue facing most businesses. And the risk is only increasing as businesses expand their networks and, thus, their attack surfaces. With a significant cybersecurity skills gap and increasing attacks, organizations need all the advantages they can get. A programmatic cyber-awareness training program is one such advantage.

Sandra Wheatley is Senior Vice President of marketing, threat intelligence and influencer communications at Fortinet. Wheatley has more than 20 years of experience developing and managing holistic marketing and communications strategies that build brands and drive business impact. Sandra is responsible for global corporate communications, marketing, global threat intelligence and global philanthropy. Prior to Fortinet, Wheatley led communications for leading technology brands, including Cisco, NetApp and AMD. She currently serves as a board member of the IoTTC Consortium and previously has served on multiple non-profit boards and is a founding board member of US2020, a White House Initiative to improve STEM learning and increase the pipeline of STEM workers in the U.S. Wheatley holds a Bachelor of Science degree from Santa Clara University, a diploma in Community Leadership from Boston College, and a diploma in Corporate Responsibility from U.C. Berkeley.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.