Blog maker

Training & Awareness: a difference factor in cybersecurity

The human element plays such a central role in cybersecurity that the theme for Cybersecurity Awareness Month 2022 revolves around “See Yourself in Cyber.” At the enterprise level, one of the most powerful ways to strengthen your security strategy is to invest in and improve cybersecurity training and awareness programs. Here’s why.

The human threat

A recent order study here at Nuspire on Top CISO Buying Trends, it was found that end users are an important area of ​​concern for decision makers. In fact, 50% of CISOs and IT decision makers surveyed cited human error as the primary reason for IT vulnerabilities.

It’s not that employees who use computer systems are inherently incompetent or reckless. But cybersecurity knowledge doesn’t come naturally to most people. Good cybersecurity practices require ongoing training and awareness on how to use systems safely and avoid common scams.

The training provides users with the knowledge to avoid misconfigurations, better secure their accounts, securely manage sensitive data, and evade social engineering attacks. But without turning learning materials into practice through continuous outreach, efforts to strengthen the human element in cyber defenses risk failing. When users are trained but not aware, they often forget when to avoid behaviors that would compromise cybersecurity or to act wisely and cautiously.

The odd contrast in modern cybersecurity is that despite the proliferation of advanced (and useful) tools to protect systems and data, successful attacks often exploit errors in user behavior. Social engineering attacks are particularly effective at using psychological manipulation to exploit untrained users.

When you consider the human element in cybersecurity, you’ll often see resources focus on malicious insider threats who deliberately exfiltrate data or install malware on their own employers’ systems. These stories are perhaps gaining more media traction due to the almost cinematic narrative of employees going rogue.

However, unintentional threats from people acting without sufficient knowledge or awareness represent the bulk of internal cyber risks for businesses. To deal with the human threat, it is necessary to invest in better training and awareness programs.

Nefarious Violations Caused by Employee Errors

To better understand the behaviors people engage in and the consequences that follow when cybersecurity training and awareness programs are ineffective or neglected, let’s examine three high-profile breaches caused directly by human error.

  • Twitter: A Bitcoin scam propagated on Twitter by compromising the accounts of over 130 people, each of whom had at least 1 million followers. Threat actors gained access to these accounts by sending targeted phishing emails to Twitter employees, which provided access to internal tools. These internal tools allowed attackers to take control of targeted accounts.
  • Toyota: A European subsidiary of the Japanese automaker lost $37 million when an internal employee was duped by a third-party hacker posing as a business partner. The “business partner” sent a phishing email which convinced someone working in the accounting or finance department to transfer the money.
  • Pegasus Airlines: In 2022, security researchers discovered 6.5 terabytes of sensitive data (equivalent to around 23 million documents) in an AWS S3 bucket belonging to the Turkey-based airline. An employee left the S3 bucket unsecured without a password or access control.

What makes effective cybersecurity training and awareness?

Here are some tips on what to incorporate into your training and awareness programs to improve knowledge of cyber threats and ensure best practices are taken into account.

  • Adapt the training materials to the situations and contexts in which the different employees of the different departments of the company find themselves daily. The information you want users to learn and retain is much more likely to resonate when it’s relevant to their actual operation and the systems they use.
  • Consider dividing material into smaller amounts of engaging modules throughout the year instead of the often tedious drudgery of employees having to go through multiple modules at once just to meet a specifically prescribed deadline.
  • Use simulated attacks as a good way to maintain user awareness of social engineering. These scams are increasingly targeted and sophisticated; nothing like a real-life situation without notice to help test current levels of social engineering awareness.
  • Prioritize educating users about the biggest cyber threats to your business and industry. Be sure to update it based on the prevailing threat landscape, using threat intelligence feeds and industry reports.

Measures to improve cybersecurity training and awareness programs

When cybersecurity training and awareness programs don’t work, it’s often because they’re left to stagnate. Completing the bare minimum of mandatory training modules is seen more as ticking a box and satisfying internal IT compliance teams. Improving your program starts with regularly reviewing it and evaluating its performance by collecting useful metrics. Here are some ideas to consider.

  • Collect the level of interest in training materials using self-report metrics and determine if ongoing outreach is resonating via indirect observations (e.g., percentage of monthly awareness newsletter emails open cybercrime).
  • Module completion rates are also a potential indicator of the level of engagement with learning materials or the effectiveness of your organization’s messaging regarding the importance of cybersecurity best practices to end users.
  • Anonymous surveys are great for gauging your company’s level of cyber awareness without the results being skewed by personalization and shaming people who don’t know or remember safe cyber practices.
  • Counting the number of IT security policy violations over defined time periods and comparing the results can help understand whether your program is truly influential and effective enough to change behavior.

It is vital to put people at the heart of your cybersecurity strategy. In a company with a strong cybersecurity culture and effective training and awareness, you can mitigate some of the most common attacks that still work with surprising regularity even in the largest companies.

The post office Training & Awareness: a difference factor in cybersecurity appeared first on nuspired.

*** This is a syndicated blog from the Security Bloggers Network of nuspired written by the Nuspire team. Read the original post at: https://www.nuspire.com/blog/training-awareness-a-difference-maker-in-cybersecurity/