In the past several years, there has been an increase in cyberattacks as we have never seen before. This has been attributed to the increase of remote work following the COVID pandemic, but it is also attributed to the digital shift when conducting both work and pleasure. This has fundamentally changed how we must think about security. Cyber security awareness training is one of the core elements we need to take into consideration when thinking about cyber security.
The Cost of Low Cyber Security Awareness
The numbers demonstrate the rapid change that has been going on just in the past couple of years:
- 2021 had the highest average cost of data breaches yet. Rising from USD 3.86 million in 2020 to USD 4.24 million according to the IBM Cost of Data Breach Report.
- Ransomware attacks have doubled between 2020 and 2021.
- The record-breaking ransomware payout in 2021 was 40 million dollars.
- According to FinCEN the first six months of ransomware payouts 590 million dollars in 2021 – was exceeding the whole year of 2020 which amounted to 416 million dollars.
Combating Human Error with Cyber Security Awareness
It has been estimated that 85% of all cybersecurity breaches are due to human error. There of 36% are due to phishing. But that’s not all: General lack of knowledge about best practices when it comes to cyber security, ranging from reusing passwords to not password protecting one’s phone, are also common culprits. Organizations are in dire need of cyber security training programs that tackle these threat vectors. Measuring the effect of security training is also important. This helps with general cyber risk mitigation and shows the overall status of security awareness within the workplace. Doing a vulnerability assessment on employees will show security leaders who to train and how.
The majority of cyber security breaches are not brute-force attacks, but rather poking around for vulnerabilities. They rely on people to make mistakes and being unaware of the risks.
This can be:
- Clicking on links in phishing emails that will install malware into critical systems
- Bad password habits, such as re-using passwords or having simple passwords, making it easy for hackers to crack into systems or inboxes
- Not updating critical software updates or accepting updates from unreliable websites.
This is why we need cyber security awareness training. But what exactly does that entail?
So What is Cyber Security Awareness Training?
Cyber security awareness training is a combination of raising awareness and educating about tools and latest threats. Part of it is implementing and reinforcing policies and best practices. In the end it all comes down to risk mitigation and cyber risk management. Security awareness training is based on the premise that in order to be able to protect against cyberattacks, it is not enough to only have technical solutions. What organizations need is also a social and cultural knowledge on individual level about threats, tools, and best practices.
4 Principles of Cyber Security Awareness Training:
1. It is human-centric
Making cyber security awareness training personal and humanized, makes it relevant to real-life circumstances. Adult learners are more likely to take instructions seriously if they are professional, personal, and relevant. A touch of humor doesn’t hurt, but the main focus should be about raising awareness and educating about new threats or technologies.
2. It is incremental
Users have different levels of knowledge about existing threats and potential security vulnerabilities. Cyber security awareness training is not aiming to make every employee a cyber-security expert. Rather, it aims to empower employees with enough knowledge and understanding of the threat-landscape to be able to question suspicious emails or activities. To understand why complicated passwords are important, why it is necessary to install security updates, and what a password manager is. And doing so in steps is the only way, as there is a lot to learn!
3. It has metrics to measure what is working and how to train
Having security training that is targeted to the needs of your organization and the skills of your employees is the key for success. Successful cyber security awareness training is dynamic. It needs to be relevant to current threats, as well as to the knowledge and understanding of the employees. There is no “one-size-fits-all” when it comes to cyber security awareness training. Having metrics that enable organizations to customize their cyber security awareness training according to their needs is of essence.
4. It is genuine
The leadership needs to take the cyber security awareness training seriously and care about cyber security training in a positive way. This is what we call creating a security culture that focuses on creating and maintaining a healthy and positive attitude towards cyber security.
Does Cyber Security Awareness Training Work?
“Overall, the research found that about 90% of all cyber claims stemmed from some type of human error or behavior.”ChiefExecutive
The above statement has been repeated in one way or another for years. If 9 out of 10 cyber attacks stem from human activity, the first logical step is to minimize risk by focusing on the humans.
Studies and reports from multiple sources, such as Aberdeen Group and Global Market Estimates suggest that cyber security awareness training can minimize cyber risks by up to 70%. They also state that it can give organizations an ROI of about 5-times. Even if you are just doing cyber security awareness training to check off a compliance item you are still doing good for your organization. An even better reason to offer cyber security awareness training is to minimize the risk to your bottom line. You could and should create a workforce that is your number one defense against cyber attacks.
AwareGO offers top quality micro-learning videos that employees love, proven to increase engagement and learning.