What does it mean to generate cybersecurity awareness? How do you really do it? Here are a few tips and ideas.
Cybersecurity awareness training is a strategy used by IT and security professionals to prevent and mitigate user risk. Being constantly targeted by cybercriminals, employees are not just passively involved in information security breaches. Cybersecurity awareness programs are designed to help users and employees understand the important role they can play in securing an organization against cyber incidents and cyber breaches.
Everyone at each level within the company – from the C-suite to operations, finance, or staff positions – handles sensitive data. Recent research estimated that, on average, every employee has access to 11 million files. So everyone within an organization should receive basic cybersecurity education. But what do employees need to know about cybersecurity?
There are many areas of the organization’s cybersecurity strategy that cyber awareness training needs to cover to ensure cyber security compliance: from data governance to security and privacy regulations (like GDPR compliance, HIPAA compliance, PCI DSS compliance, NIST cybersecurity policy, etc.), cybersecurity best practice, and cyber hygiene. Besides explicit cyber security e-learning, training sessions might also cover aspects of physical security, touching real corporate life scenarios – remember last time you were in a café and you left your corporate badge or that company USB stick unguarded?
In a nutshell, a comprehensive cyber awareness education program should cover areas like:
You don’t need to be a shrewd cybersecurity analyst or a security operation professional to help your company protect itself against cyber attacks. Stay vigilant, and stick to best practices. That’s why cybersecurity education can go a long way!
People are the weakest link in security strategies. According to the Verizon 2021 Data Breach Investigations Report, 85% of breaches out of a sample of 5,258 breaches analyzed in 2021 involved a human element, with phishing occurring in 38% of data breaches and featuring as the most prevalent threat action. People become a cyber-risk factor because they are more flexible, more productive with access to various software and applications, and prone to producing and sharing tons of data.
The good news is – an engaging security awareness training program can help turn your employees into your first line of defense. In the endless fight against cyber breaches, an organization’s ability to train its members to influence their cybersecurity behaviors to protect against data breaches and security incident scenarios like credential theft, social engineering, and user error can seriously shift the odds.
So what are the driving factors that make cybersecurity training so important?
Firstly, cybersecurity awareness helps to protect your remote workers. According to a Gartner survey, 90% of HR leaders indicated that they now completely trust employees to work from home. How do you protect them from an ever-increasing number of cyber-attacks? Yes, you can implement technologies that secure their connectivity – like VPNs – protect their local perimeter and the “service edge” – like secure web gateways – and secure access to key applications and digital assets – like two-factor authentication. You can design ad-hoc cybersecurity policies for remote workers - like “no printing at home” or “always use your VPN.” And still, cybersecurity education and awareness are hard to beat. While people may find expedient ways to evade security controls or ignore company cybersecurity policy and compliance to be more productive, they need to be aware of the risks they can cause to their organization when bypassing an information security policy or cyber security control.
Secondly, influencing cybersecurity behaviors can bear a phenomenal return on investment. Cybersecurity training is an essential means of creating a culture of cybersecurity – defined by Huang and Pearlson as the “beliefs, values, and attitudes that drive employee behaviors to protect and defend the organization from cyber-attacks.” Changing basic beliefs at the leadership, group, and individual level can lead to tangible results – as reported by Verizon – like an improvement in cyber threat susceptibility, positive response to cyberattack simulations, and increased number of phishing reports. So positive cyber awareness training can lead people from any department to engage proactively and change their cybersecurity actions (e.g., use a password manager), their habits (repeatable actions), and ultimately, their cybersecurity behaviors (a combination of actions and habits).
Finally, data is everywhere, and it can take oodles of different forms in today’s world. People are constantly producing, sharing, and distributing data. Sensitive information is continually manipulated, reformatted, or modified. Inevitably, users constantly create new data exfiltration channels. Data security teams can work hard and take a structured approach of chasing after data – the classic multi-stage method of searching and labeling data, running data classification software, and implementing data loss protection technologies and controls. But 80 to 90 percent of data generated by organizations is unstructured (images, videos, audio files, emails, messages on chats, screenshots, presentations – you name it), and eventually, people are the biggest variable in data security. A sound security awareness and cyber education program can lead employees to make security-conscious choices, guide user actions, and educate people to make the right decisions when interacting with critical data.
There are various strategies that companies currently adopt to keep employees vigilant and educate people on cybersecurity practices, cyber attack techniques, and routine cyber hygiene procedures. You want your employees to be aware of data risk scenarios like social engineering threats. You want them to recognize the different types of attacks, avoid data risk, and ultimately embrace cybersecurity best practices so that they do not expose themselves to potential compromise scenarios or data breaches. And finally, you need to prepare employees to take the appropriate reporting and response actions in case of compromise.
Professional and interactive security awareness e-learning comes in several forms – like gamified cyber awareness training, phishing simulations, general cyber attack simulations, interactive training with examples and quizzes, and videos or apps with live-action or real-life scenarios.
A positive and up-to-date cyber awareness program will stick to a few basic principles:
According to the Verizon 2021 Data Breach Investigations Report, “the simulations and training offered by most security education teams do not mimic real-life situations, do not parallel the behaviors that lead to breaches, and are not measured against real attacks the organization receives.” Malicious actors continuously adapt their cyber attack techniques to human behavior. Targeted attacks result in organizations experiencing different variations of the same types of attacks. How can they customize their cybersecurity behavior programs effectively and in line with the threat landscape?
One answer is a form of active cyber learning called incident-based training – an approach to learning where students are actively or experientially involved in the learning process. Active learning, in general, is reportedly effective. On average, students in traditional lecture courses are 1.5 times more likely to fail than students in courses that use active learning, and average STEM examination scores improved by about 6% in active learning.
With incident-based training, students construct their understanding of cybersecurity as they are presented with engaging and varied training content, relevant to cybersecurity incident scenarios. Training activities and content provide information about the adversary tactics and techniques, the cybersecurity behavior, the impact of the cyber attack, and incident response actions and behaviors. Incident-based training provides memorable and timely cyber security training titbits that people associate to real-life cyber incident scenarios: videos, pop-up messages, extensive training documentation like acceptable use policies, etc.
Besides incident-based training, other examples of active cyber learning include:
Examples of incident-based training include data exfiltration scenarios like users uploading files to unauthorized file-sharing services or social engineering and phishing, where users are warned of a potentially malicious email. Straightforward active cyber learning actions like a pop-up message or training video can ultimately prevent or discourage risky or malicious behavior.
Cyber hygiene relates to particular practices taken to ensure the security of data and devices ultimately. Users embrace cyber hygiene practices to keep sensitive data safe and secure from data exfiltration and data theft. When it comes to devices instead, cyber hygiene refers to the steps taken to maintain system health, ensure timely system updates (especially security updates), and improve online security.
Problems linked to cyber hygiene include data loss across physical or cloud storage devices, hacking, misplaced data, security breaches, ineffective cyber security controls resulting from legacy security software, or outdated antiviruses.
Cyber hygiene refers to the maintenance of data security on the one hand, and hardware and software security on the other. So best cyber hygiene practices include:
Cyber resilience is an organization's ability to stand up to adverse cyber events - anticipating, withstanding, recovering from, and adapting to adverse cyber conditions like cyber attacks and security system compromises. If your company is affected by a cyber attack, possibly caused by a security vulnerability, cyber resilience includes the ability of the organization to get back on its feet.
While cybersecurity primarily deals with how an organization can prevent a cyber attack, avoiding cyber threats, cyber resilience relates to the ability to recover from a cyber attack – mitigating cyber damage, and ensuring business continuity even if data security or cyber security systems have been compromised. Adverse security events can result from adversarial threats such as cyber incidents and data breaches (like insider threat, malware, system intrusion, denial of service, social engineering, etc.) or non-adversarial threats like human error.
Non-adversarial threats can cripple an organization and result in damages to the security infrastructure. By delivering an understanding of cyber risk and cybersecurity incident scenarios, cyber security awareness training discourages negligent or risky user behaviors.
While working outside of the office, users are exposed to a plethora of external cyber threats and potential data breach scenarios. Implementing proactive prevention through zero trust security is essential, but sometimes it is not enough. You need your IT users and employees to be on your side. Security awareness training is often listed as the number one precaution aimed at improving cyber resilience. And it is an integral part of many cyber resilience frameworks.
No security solution or cybersecurity technology is perfect. In 2020, an estimated 81% of organizations were affected by a successful cybersecurity attack. Sometimes it is best to assume there will be an attack and build comprehensive post-incident scenarios. Cybersecurity education is essential in enabling investigators to assess a security breach and to implement a data breach protocol quickly.
The more your staff is receptive to cyber security and understands its importance, the stronger your cybersecurity posture and the larger your degree of cyber resilience. Once again, creating a positive cybersecurity culture is functional to recovering quickly from an attack.
Cybersecurity maturity refers to an organization’s degree of readiness to prevent threats from hackers, manage vulnerabilities, and respond to attacks. This includes assessing cyber security posture, comprehending the degree of preparedness, and defining procedures and protocols aimed at preventing cyber threats before they become breaches.
Organizations can improve their degree of cybersecurity maturity by addressing issues proactively to reduce their attack surface. Cyber maturity frameworks like the NIST Cybersecurity Framework or the Cybersecurity Capability Maturity Model (C2M2) provide guidance to evaluate an organization’s cybersecurity program and its underlying people, processes, and technologies. They are often based on existing standards, guidelines, and practices (for instance, threat detection and response or data protection standards) and aim to guide organizations to better manage and reduce cybersecurity risk.
Cybersecurity frameworks are divided into components or domains and often are paired with scoring systems that allow organizations to assess their level of readiness on several levels. This structured performance appraisal known as cyber maturity assessment allows evaluating an organization’s cybersecurity functions such as the ability to identify cybersecurity risks, prevent them, respond to cyber risks, and recover from cybersecurity incidents.
Cybersecurity practices that guarantee a strong cybersecurity posture have seen huge advancements in recent years. For instance, penetration testing, system hardening, secure software development, and digital forensics have massively evolved. But what about cybersecurity awareness? SANS feels that “one of the biggest challenges we face in security awareness is its lack of maturity” and for this reason, they defined a Security Awareness Maturity Model.
Cyber mature organizations exceed simple requirements dictated by basic cyber security compliance. Just delivering one presentation a year won’t cut it. At the very least, employees need to gain confidence in organizational policies, understand their role in protecting information assets and absorb how to prevent, identify or report a security incident. And for the organization to maintain a reasonable level of security awareness maturity, a cyber security awareness program that makes an impact needs to hinge on selecting the topics that have the greatest potential of cyber threat prevention, implementing continuous reinforcement of cyber security education, encouraging positive behavior change and communicating topics positively and engagingly.
Our answer to all these questions is simple: active cyber learning and incident-based training. By adopting these strategies, companies and organizations can readily improve their level of cybersecurity maturity.