The ever-changing cyber threat landscape implies that all businesses should have a functional cyber security awareness program in place. In spite of the increased spending on IT security, cyber-crimes are on the rise. A recent study by Verizon shows that phishing is still the most prevalent threat action in successful data breaches related to social engineering and malware attacks.
Instead of breaking through an organization’s infrastructure, attackers use social engineering tactics on vulnerable employees. Social engineering is the use of deception and manipulative tactics to make individuals divulge sensitive and personal information that can be used for malicious purposes.
What is Cyber Security awareness?
Cyber security consciousness entails understanding the threats to information assets and acting responsibly to protect organization’s information assets and personal information. It involves knowing and following recommended best practice for using digital devices, following security policies and using Common Sense! Some of the risks and threats include data breaches, ransomware attacks, malware attacks, phishing attacks, which include spear phishing and business email compromise.
Financial gains, political interests or access to sensitive information are some of the motivations for Cyber criminals. Hackers are constantly identifying vulnerabilities that they can exploit for malicious purposes. Successful cyber-attacks have resulted in huge financial losses, reputational damage, job losses and even closure of companies.
The Importance of Cyber Security Awareness
Cyber security awareness is part of the basic but critical information security controls that an organization should put in place. Recognition helps in mitigating cyber security risks by creating a risk aware culture among employees. The objective is not to have technical savvy employees in the organization but to equip them with basic knowledge on the red flags to look out for. It is important that all employees understand their role in protecting organization’s information assets.
Awareness should also be done on all the organization’s information security policies. There should be a pre-defined disciplinary procedure to deal with non-compliance with the organizational policies and the security awareness training. Employees should also understand the process of reporting security incidences in the organization.
How to Get Started
An organization looking to run a cyber security awareness program should start with accessing its security consciousness needs. This can be done by carrying out a security proficiency assessment on different topics to identify the gaps in awareness. Phishing assessment is also a great way to identify high risks users in an organization. High-risk users would need more awareness and the awareness plan should take that into consideration. It is best practice to define roles and responsibilities within the organization for the execution of the awareness program.
The next step is to develop awareness and training material. Content development can be managed in-house or outsourced to a security awareness content provider. The content development process is a time consuming and a resource-intensive process.
Small businesses can capitalize on existing cloud-based security awareness training and simulated phishing providers. Some of the topics that should be covered include password security, use of social media, incident management, acceptable use of IT, email security and other topics relevant to the organization. Delivery of awareness and training techniques can vary from one content to another. Techniques of delivery can be in form of posters or artwork, instructor-led sessions, banners, module videos, computer-based training or games such as crossword puzzles.
The effectiveness of a cyber security awareness program.
Should be determined periodically, this can be achieved by defining metrics for measuring the success of the program. Training participation is one way of determining the success of a program. It could be manually tracked through a training attendance register. Where training is delivered on an e-learning portal, the organization monitor training reports. Conducting assessments to monitor if the employees are consuming the training content allocated to them. Simulated phishing tests are also another way to tests the vulnerability of employees.
With automated security platforms, an organization can monitor its phish prone percentage over time to determine the effectiveness of security awareness training. According to KnowBe4, an organization’s phish prone percentage indicates the percentage of employees that are likely to fall for social engineering and phishing scams. Employees can also give feedback on the relevance of the program.
It is clear that the human factor is the weakest link in Cyber security. A recent successful cyber-attack is the WannaCry Ransomware attack which infected over 300,000 computers. Data breaches have affected businesses of all sizes and millions of user data have been compromised. Companies such as E-bay, LinkedIn and Yahoo have had to do a lot of damage control as a result of data breaches.
It is therefore senior management’s responsibility to ensure that employee security awareness training is part of the information security strategy. This involves setting aside funds for security awareness training and setting up mechanisms for ensuring that the program is effective. The success of a cyber security awareness program is dependent on senior’s management’s support for the program.