The landscape of cybercrime is constantly shifting. As cybercriminals adopt more sophisticated attack methods and exploit any and every weakness, it is increasingly important to invest in your own cyber safety to keep ahead of current threats.
Since the outbreak of COVID-19, there has been an eye-watering 63% increase in cybercrime. Attackers are also increasingly targeting end users, knowing that the majority of successful breaches stem from human error. This has led to a steep increase in ransomware and phishing attacks, a trend that looks set to continue to grow throughout 2021. In fact, human error is a major contributing cause in 95% of data breaches.
To help protect against human error, many organizations are looking to invest in security awareness training solutions. Security awareness training (SAT) is designed to train your employees to protect against cyber threats by identifying and reporting them, helping to reduce the window for potential breaches. But security awareness training as a box-ticking exercise is not enough; it is important to build a solid security culture.
So, the question is: how do you effectively empower your employees to prevent breaches caused by human error, without placing too much pressure on them to achieve impossible perfection?
We spoke to Tyler Schultz—Product marketing manager at Infosec—to discuss the Infosec IQ awareness training platform and how organizations can keep up with and tackle today’s biggest security challenges, while also building a strong culture of cybersecurity, which all employees can play an active part in maintaining.
Keeping Up With The Current Threat Landscape
Cyber threats are always evolving because attackers are continually working to improve their methods and keep one step ahead of our security systems. Cybercriminals also know how to capitalize on times of instability and uncertainty, so it was hardly a surprise to see them exploit the chaos of the 2020 pandemic. While businesses all over the world adopted remote working in an effort to protect the health of their workforce, cybercriminals got busy crafting ways to exploit the 127% increase in vulnerabilities caused by remote working.
When we asked about the challenges caused by the pandemic, Schultz explained that there have been some necessary practical changes, such as eliminating in-person training, but also, more importantly, the need to adapt to new post-COVID security threats and to prioritize effective engagement.
“Part of the shift included making the delivery method of training better and more effective in the virtual world. But there has also been a shift towards ensuring content is tailored to the specific types of attacks people are facing due to working from home or connecting to public Wi-Fi. These are new challenges that come with an entirely different risk environment.”
Social engineering and phishing attacks are among the most significant security issues organizations are dealing with today, and these are two of the key problems awareness training can help to solve. “Awareness is a big part of this,” Schultz explains, “helping employees understand what these attacks are, how they might look, and what to do if they are targeted by a social engineering attack or if a phishing email lands in their inbox.”
One of the most important tools organizations can use to combat these threats are simulated phishing emails. “Really, it’s the perfect test,” Schultz tells us, “To test for social engineering and phishing attacks in the same environment where real attacks are going to happen.”
This also gives companies the ability to deliver training immediately, depending on the users’ actions. With Infosec’s solution, if users do click on a simulated phishing link, training can be served that is tailored to that specific attack, so they can be made aware of what they did not spot initially. This has proven to be an incredibly effective educational tool, Schultz tells us. His recommendation is to send a baseline phishing test to ascertain where your organization stands, then you can see how to improve going forward.
Recognizing and avoiding phishing attacks is important, but one of the best measurements of lasting behavior change comes from employee-reported emails. “Reporting suspicious emails proves employees are recognizing both simulated phishing emails and real phishing attacks,” Schultz explains, “but it also goes one step further by supplying the security team with threat intelligence that can help them mitigate active attacks.”
Pushing The Boundaries Of Effective Security Awareness Training
The traditional annual or once-a-year training approach that many organizations use is not the most effective way to keep cybersecurity top of mind for the entire year. According to Schultz, to keep an organization secure employees need to be able to spot security threats and adopt security conscious behaviors.
The goal is to go beyond the typical one-way delivery method of presenting the training and just hoping that it works, Schultz tells us. “Our aim is to help meet the security awareness training needs of our customers, help them advance and evolve their training programs themselves, and inspire employees to adopt those secure habits. Ultimately, changing the way they interface with technology.”
So, in a crowded awareness training market, what features should organizations look for when comparing solutions?
According to Schultz, engaging content should be a number one priority, in order to improve user retention and create a positive learning culture.
“We’re really trying to improve on the older traditional methods of security awareness training. We’re leaning really hard into engagement, using training episodes with fun themes and characters that employees can get to know and hopefully relate to,” Schultz says.
Infosec has built up an expansive library of content with various themes and styles that customers can choose from to launch high-quality training. This includes delivering in-the-moment phishing training; “As soon as someone clicks a simulated phishing link, we can deliver super relevant training on the spot, which is proven to be one of the most effective training methods.”
Moving away from long-form training and into more frequent and relevant micro-learning also works well to boost engagement, Schultz says.
“Also, gamification,” he says, “we launched a Choose Your Own Adventure® series where employees essentially play through their training, and that’s been really effective.”
Building A Strong Cybersecurity Culture
Much of the discourse around the subject of human error, and resulting breaches, has taken a them-vs-us tone with a lot of focus on how employees are your biggest weakness and how the most vulnerable element of your cyber defense are your people. More recently, the talk around human error has moved away from assigning culpability, and towards encouraging responsibility; Infosec is one organization currently looking at employees as a part of the solution rather than the cause of all problems.
“Something you’ll hear a lot in this space is that employees are the weakest link in your cyber defense,” Schultz tells us. “It’s almost treating them like the enemy, as if because of them, you are doomed to fail. But the reality is employees don’t want to be the problem. They don’t want to cause a security incident. And it’s really not their fault that they are targeted by attacks.”
So, how can organizations strengthen their cybersecurity culture, without blaming employees?
“I’d say one of the most important things, or at least an important starting point, is fundamentally shifting what security is at an organization. So rather than security being a one-way street where the security or IT team pass down information or put policies in place that everyone needs to follow, it needs to be about building a supportive environment and allowing for some back-and-forth conversation.” This is what it means to build a solid cyber security culture.
“There isn’t a magic solution to building that relationship. It’s relationship building,” Schultz advises. Employees may be able and willing to participate in training, they may be able to pass the assessments you give them, but do they really feel like cybersecurity is relevant to them? Do they see it as part of their job, or do they see it as something the IT and security team should be handling?
Schultz tells us that the focus for Infosec has been to take a very data-driven approach to this issue, which led them to developing an entirely anonymous cybersecurity culture survey. This makes it possible to collect real opinions from employees, learn more about how they feel, and target specific weaknesses that are then flagged up.
This offers insight into how employees feel about cybersecurity, as well as how they feel about communicating with IT, and whether they have misgivings about reporting mistakes out of fear that they will be punished in some way if they cause an incident. “If they feel like they are just going to be punished, then it’s probably to their benefit to not speak up and just hope nothing happens” Schultz tells us. “And you can only know if your employees would be unwilling to report incidents to the security teams if you ask them. And then you’ll know what you need to improve on.”
There is no magic solution to solving this or any other issue, but there are always ways you can improve communication and form a much stronger employee relationship.
How To Implement A More Security-Aware Culture Today
Schultz’s advice for organizations currently struggling with the challenges of unsecured mobile devices, social engineering, ransomware, and other such attacks is to give employees a reason to care about cyber security.
“The way we see it; employees can be a strength, not a weakness. They can even be major contributors to your cyber defense.” Employees know that they are likely targets for cyber attackers, and the way to strengthen their commitment to organization-wide security is not to place on them the burden of blame, but rather to help them to understand the role they play in keeping the organization secure.
“Employees are not against the security team or the IT managers. We just need to give them a reason to actually care to engage with our awareness training efforts.”
Schultz advises that a good way to really bring employees into the fold and encourage them to consider security awareness as both part of their job and a valuable skill to take home with them, is to frame it as such.
By positioning security skills as “life skills” that will not only be useful at work, but will also be good to take home and apply to their everyday lives, security awareness training becomes a mutually beneficial exercise. This is a better and more effective approach when it comes to bringing employees onboard as assets, rather than treating them like walking security risks.
Thanks to Tyler Schultz for participating in this interview. If you’d like to learn more about Infosec IQ and how it works, visit their website here: Security awareness training & phishing simulations – Infosec (infosecinstitute.com)