Employees: The First Line of Defense Against Cyberattacks
Burnout is a huge issue for employees. In a recent study from 1Password, 80 percent of office workers and 84 percent of security specialists reported being burned out. What’s worse, approximately 20 percent of these burned-out employees said the security policies for the companies they work for “aren’t worth the hassle.” This is not the attitude you want from the people who should comprise your first line of defense in cybersecurity.
These employee burnout and security perspectives statistics are even more alarming given that a failure to detect or block phishing attempts is cited as one of the most common initial access techniques employed by criminals to breach company networks, as detailed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in a recent security alert.
While companies can—and should—implement technological solutions to harden their networks against compromise, their people must form a critical component of their cybersecurity defenses. In today’s world, security and risk management is everyone’s responsibility—not just that of a select few cybersecurity specialists within the organization. Our challenge as security professionals is to educate and motivate our people to be the company’s first line of defense against cyberattack, not the weakest link.
That’s where employee cyber awareness training comes in. This is the mechanism by which we educate employees about cyberthreats facing companies and individuals, how to recognize an attack, and crucially, empower people with the tools required to mitigate these threats and protect the company.
Here are some of the benefits and best practices of implementing cyber awareness training for your business.
Fostering a Culture of Security
Leadership matters. For security awareness training programs to be successful, employees must understand from their executives down to their direct manager that cybersecurity is a priority for the company. Leadership must set the example and take ownership for driving engagement with the program, completion of training assigned, and remediation of stragglers. And this cannot be a one-off touchpoint with employees; leadership must reinforce their cybersecurity messaging on an ongoing basis, taking care to highlight program successes and challenges where appropriate (phishing attack successfully identified and remediated, improved simulated phishing test pass rates, etc.).
By setting the example and establishing cybersecurity as an enduring priority, company leadership can begin to drive a culture of security within the organization to protect both the company and its employees from cyberattack.
Positive feedback loops that clearly link training to real-world outcomes that affect the business are critical for driving buy in, engagement, and an effective threat mitigation program.
Recently, one of my colleagues mentioned that she had received an email that looked suspicious and reported it as a phishing message, thinking that it was part of our own security awareness training program. When such simulated phishing messages from our training platform are reported by our employees, they receive a pop-up that says, “Congratulations! You just passed a test from your employer!” providing instant feedback to reinforce training previously administered.
Leadership must reinforce their cybersecurity messaging on an ongoing basis.
In this case, however, the reported email wasn’t part of the training program—it was an actual phishing attempt against the user. The message was consequently sent to our internal IT team for analysis and a short time later, she received an email informing her that the attempt was in fact a real-life threat and that her actions had helped to prevent a potential cyberattack against the company. This is because we have taken the extra step to incorporate real-time user feedback into our phishing threat remediation processes, in addition to the user feedback provided by our security awareness training platform.
Both empowering employees with a mechanism to participate in the company’s cybersecurity defenses, while also providing them feedback on their efforts is a crucial part of building buy in for a culture of security and fighting complacency within organizations. These tools cannot be “black holes,” they must be interactive, and they must help groom the behavior of our users to be better.
Identifying and Remediating Risk
Centralized training programs also serve to identify areas where individual employees are the most at-risk of becoming victims of social engineering (that is, the use of deceptive tactics to trick individuals into divulging confidential or personal information that may be used for fraudulent purposes). This insight into user-level risk and vulnerability is important for the customization of training and remediation to drive effective programs that produce results.
One of our clients, for instance, recently implemented a security awareness training program for their employees, incorporating best practices advocated for in this article to include user-level visibility of employee risk and remediation. When first launched, the client experienced a baseline 27 percent phishing failure rate across the company. Within 90 days, they were down to 3 percent. Training can work when done right.
Adhering to Compliance Standards and Best Practices
Beyond simply making it harder for the criminals to get into your networks, there are second and third order benefits from educating and empowering your people to be your first line of defense against cyberattacks. For example, some industries simply require these training programs as part of their compliance requirements and due diligence. For companies held to such requirements, non-compliance can put existing or future business opportunities at risk.
Opening the aperture beyond what may be strictly required, however, we must understand that no company is completely insulated from upstream or downstream disruptions to its own supply chain, and businesses increasingly want to know that their vendors and customers are themselves secure. Within this context, the subject of security awareness training is coming up more frequently. Companies that effectively implement these programs will be in a strong position to both harden themselves against cyberattacks and compete for new business.
Fear shouldn’t be leveraged to drive security outcomes.
Cyber awareness training might also allow you to save money on your cyber insurance policy (and will likely be a requirement to secure the policy to begin with). Consequently, the benefits of effective security awareness programs extend well beyond protecting individuals and the company, it can sustain and drive new business as well.
The average cost of a data breach increased 2.6 percent from $4.24 million in 2021 to $4.35 million in 2022, according to research from IBM. For most—if not all—companies, such a breach would be devastating enough that investing time and resources into proactively training employees can mean the difference between sustaining business operations and continued growth—or going out of business entirely.
This information is to level set on the “as is” within the security space, not to be used as a scare tactic. Fear shouldn’t be leveraged to drive security outcomes. Instead, security should be discussed within the context of organizational empowerment to sustain and grow. Viewed from this perspective, effective security awareness training programs are a critical step that organizations should adopt to ensure they can thrive within the realities of the environment we operate.
Ultimately, the goal of an employee cyber awareness program is just that: creating awareness. In this case, what you don’t know truly CAN hurt you. It’s about instilling the confidence employees need to know and understand why we need to operate in a security-first culture, remain vigilant, and properly respond to threats.
Eric Regnier, CISSP, CCSP, PMP, is the Manager of IT Security and Compliance for ZAG Technical Services, an award-winning IT consulting firm and managed services provider based in San Jose, Calif. Regnier specializes in the strategy and implementation of security solutions within organizations. He is a former U.S. Navy submarine officer, holding master’s degrees in technology policy and computer science.
© ZAG Technical Services