What keeps IT managers up at night is often not how good their security defenses are, it's what one of their end users might do. A recent report from Oracle says "both C-suite executives and policymakers rank 'human error' as the top cybersecurity risk for their organization." In fact, almost 90 percent of cyber attacks are caused by human error or behavior. The stakes are enormous. The 2019 Ponemon Cost of a Data Breach Report puts the average cost of an attack at $3.9 million.
Don't Be a Statistic
Let's face it, cybercriminals are some of the most devious people on earth and end users are always going to fall victim, but just a little cybersecurity awareness can ward off many of the most common types of attacks. That's why organizations should implement security training programs and make them mandatory. Research shows that organizations with cybersecurity awareness training programs in place suffer far lower financial losses to cyber attacks than ones who do not. For example, training on how to spot a bogus email was shown in one study to reduce susceptibility by 75 percent.
What to Do
So, what should security training focus on? You can reduce risk by raising end-user awareness around three key topics.
1) Social Engineering Attacks
Social engineering attacks fool employees into turning over sensitive company data by clicking a malicious link or opening a harmful file. Verizon's 2019 Data Breach Investigations Report found that social attacks accounted for 33 percent of all breaches investigated.
The risk of end users falling victim to such attacks can be blunted by teaching them some basic digital "street smarts" around how to recognize and avoid frequent methods of attack. This is accomplished with online training tools and testing. That can be followed up with mock malware and phishing messages to see how employees react. More training is then scheduled for those who fall for the scams.
2) Sensitive Data Handling
Another area where human error or behavior can lead to cybersecurity problems is how sensitive data is handled. 58 percent of companies have over 100,000 folders accessible by every employee and open to everyone. 83 percent of IT leaders say they believe employees have put company data at risk accidentally in the last 12 months.
All it takes is someone emailing the wrong person thanks to an auto-insert email address feature in a mail app or stepping away from their device without locking the screen and you have the potential for serious data theft. Using public servers and Wi-Fi with poor security are also common risks.
Again, mandatory cybersecurity awareness training helps. Implement a process for properly encrypting, storing, transferring, deleting, and destroying confidential data.
3) Identifying Incidents
If the worst happens and there is a data breach, Ponemon found it takes an average of 279 days to identify and contain it.
Workers should know how to spot suspicious behavior and what to do it they do mistakenly click on a bad link or download a malicious file. There should be set policies in place for how incidents are escalated to the appropriate IT resources to contain the problem as quickly as possible. While nobody wants to be "that guy" who got taken in, employees need to understand trying to hide a problem by pushing it under the rug will face serious consequences if they do.
Use Artificial Intelligence as a Second Line of Defense
Human beings are human after all, so many organizations are turning to advanced technology like artificial intelligence to detect and thwart attacks. Unlike legacy systems that require some level of human interaction, smart tools run 24/7 with advanced event monitoring and automated responses that dramatically reduce the time problems are sniffed out and shut down.
Cybersecurity Awareness Training Pays for Itself
There are so many benefits that come with cybersecurity awareness training that every organization should make it mandatory. Not only does it block the majority of social engineering attacks and ensure that sensitive data is handled properly, but it also gives employees more confidence in their technical knowledge, which improves morale and peace of mind.