In the past several years, there has been an increase in cyberattacks as we have never seen before. This has been attributed to the increase of remote work following the COVID pandemic, but it is also attributed to the digital shift when conducting both work and pleasure. This has fundamentally changed how we must think about security. Cybersecurity awareness training is one of the core elements we need to take into consideration when thinking about cybersecurity.
The cost of low cybersecurity awareness
The numbers demonstrate the rapid change that has been going on just in the past couple of years:
- 2021 had the highest average cost of data breaches yet. Rising from USD 3.86 million in 2020 to USD 4.24 million according to the IBM Cost of Data Breach Report.
- Ransomware attacks have doubled between 2020 and 2021.
- The record-breaking ransomware payout in 2021 was 40 million dollars.
- According to FinCEN the first six months of ransomware payouts 590 million dollars in 2021 – was exceeding the whole year of 2020 which amounted to 416 million dollars.
Combating human error with cybersecurity awareness
It has been estimated that 85% of all cybersecurity breaches are due to human error. There of 36% are due to phishing. But that’s not all: General lack of knowledge about best practices when it comes to cybersecurity, ranging from reusing passwords to not password protecting one’s phone, are also common culprits. Organizations are in dire need of cybersecurity training programs that tackle these threat vectors. Measuring the effect of security training is also important. This helps with general cyber risk mitigation and shows the overall status of security awareness within the workplace. Doing a vulnerability assessment on employees will show security leaders who to train and how.
The majority of cybersecurity breaches are not brute-force attacks, but rather poking around for vulnerabilities. They rely on people to make mistakes and being unaware of the risks.
This can be:
- Clicking on links in phishing emails that will install malware into critical systems
- Bad password habits, such as re-using passwords or having simple passwords, making it easy for hackers to crack into systems or inboxes
- Not updating critical software updates or accepting updates from unreliable websites.
This is why we need cybersecurity awareness training. But what exactly does that entail?
So what is cybersecurity awareness training?
Cyber security awareness and training is a combination of raising awareness, educating about tools and latest threats. Part of it is implementing and reinforcing policies and best practices. In the end it all comes down to risk mitigation and cyber risk management. Security awareness training is based on the premise that in order to be able to protect against cyberattacks, it is not enough to only have technical solutions. What organizations need is also a social and cultural knowledge on individual level about threats, tools, and best practices.
What successful cybersecurity awareness training looks like
1. It is human-centric
Making cybersecurity awareness training personal and humanized, makes it relevant to real-life circumstances. Adult learners are more likely to take instructions seriously if they are professional, personal, and relevant. A touch of humor doesn’t hurt, but the main focus should be about raising awareness and educating about new threats or technologies.
2. It is incremental
Users have different levels of knowledge about existing threats and potential security vulnerabilities. Cybersecurity awareness training is not aiming to make every employee a cyber-security expert. Rather, it aims to empower employees with enough knowledge and understanding of the threat-landscape to be able to question suspicious emails or activities. To understand why complicated passwords are important, why it is necessary to install security updates, and what a password manager is. And doing so in steps is the only way, as there is a lot to learn!
3. It has metrics to measure what is working and how to train
Having security training that is targeted to the needs of your organization and the skills of your employees is the key for success. Successful cybersecurity awareness training is dynamic. It needs to be relevant to current threats, as well as to the knowledge and understanding of the employees. There is no “one-size-fits-all” when it comes to cybersecurity awareness training. Having metrics that enable organizations to customize their cybersecurity awareness training according to their needs is of essence.
4. It is genuine
The leadership needs to take the cybersecurity awareness training seriously and care about cybersecurity training in a positive way. This is what we call creating a security culture that focuses on creating and maintaining a healthy and positive attitude towards cybersecurity.
Does cybersecurity awareness training work?
“Overall, the research found that about 90% of all cyber claims stemmed from some type of human error or behavior.”ChiefExecutive
The above statement has been repeated in one way or another for years. If 9 out of 10 cyber attacks stem from human activity, the first logical step is to minimize risk by focusing on the humans.
Studies and reports from multiple sources, such as Aberdeen Group and Global Market Estimates suggest that security awareness training can minimize cyber risks by up to 70%. They also state that it can give organizations an ROI of about 5-times. Even if you are just doing cybersecurity awareness training to check off a compliance item you are still doing good for your organization. An even better reason to offer cybersecurity awareness training is to minimize the risk to your bottom line. You could and should create a workforce that is your number one defense against cyber attacks.
AwareGO offers top quality micro-learning videos that employees love, proven to increase engagement and learning.