Enterprises spend nearly $100 billion a year on cybersecurity, and despite sophisticated IT security defenses, one weak link – employees – remains a major vulnerability.
Many attacks are stopped by firewalls, endpoint security products and advanced threat protection solutions, but somehow scammers keep getting past these and other defenses. As frustrating as it is to see expensive, enterprise-grade security solutions fail to completely protect a company's data and its workers, technology is not entirely at fault. A 2017 survey from Wombat Security Technologies revealed that nearly a third (30 percent) of employees don't know what phishing is. To make matters worse, ransomware is an unknown concept to nearly two-thirds of workers.
Who's to blame for this sorry state of affairs? Employers are, to an extent.
A few years ago, Enterprise Management Associates (EMA) conducted a survey that found that more than half (56 percent) of employees, not counting IT staffers and security professionals, had not received security awareness training. And when they did get training, there was no guarantee that it would take hold. Only about half (48 percent) of organizations said they measured the effectiveness of the training.
According to eSecurity Planet's 2019 State of IT Security survey, email security and employee training are the top problems faced by IT security pros, making this an important area to double down on your efforts.
So we've put together some advice that can help businesses implement an effective IT security awareness training program for employees. First, though, more on the hazards today's typical office worker faces to get a sense of where your greatest vulnerabilities lie.
Phishing and ransomware top employee security concerns
As a productivity tool, the email inbox has proven to be both a blessing and a curse.
Among the types of attacks that workers often fall for, "phishing, spear-phishing and/or whaling" is number one, according to Dan Lohrmann, CSO at security awareness training provider Security Mentor.
"Remember that phishing can happen with people clicking on links in emails, but also via social media and even phone calls," Lohrmann said. Also, people are still opening attachments from strangers, he added. Social engineering essentially involves running a con, using email or a phone call, to gain access to a protected system or information through deception. In the case of spear-phishing or whaling, both terms for more targeted attempts at scamming important high-value individuals, a considerable amount of effort can go into fooling victims.
Lance Spitzner, director of Security Awareness at the SANS Institute, cautioned that scammers like to use social engineering to make their victims jump to attention and get hearts racing.
"The most common tactic cyber attackers use is creating a sense of urgency, pressuring or rushing people into making a mistake," Spitzner said. "This can be a phone call where the attacker pretends to be the IRS stating your taxes are overdue and demanding you pay them right away, or pretending to be your boss, sending you an urgent email tricking you into making a mistake."
Research from Cofense, home to the PhishMe simulation program, shows that workers tend to lower their guard when money is involved.
During the first half of 2018, the company's active threat simulations revealed that that 'attached invoices' requesting payment, 'payment confirmation' and 'document sharing' remain difficult for users to avoid, said John "Lex" Robinson, anti-phishing and information security strategist at Cofense. "All these models involve the exchange of money, an emotionally charged topic that elicits strong responses," he said.
Some attackers don't care much for stealing valuable information. Instead, they use malware that encrypts a victim's files and holds them hostage without ever transferring the data. They demand a ransom for the encryption key that restores access to those files, hence the term ransomware.
More than a quarter (26 percent) of ransomware attacks hit business users in 2017, according to a report from Kaspersky Lab. Between the second quarter of 2016 and second quarter of 2017, small and midsized businesses paid over $300 million to ransomware attackers, according to a survey from data backup specialist Datto.
"Ransomware and phishing continue to be the most common attacks users are falling for," observed Rob Clyde, chair of ISACA and executive chair of White Cloud Security. "Moreover, attackers often find that it is easier to make money using ransomware attacks."
Good data protection practices, particularly maintaining regular backups, makes ransomware more of an inconvenience than a cripplingly expensive cybersecurity incident, although IT security teams and administrators will likely have their hands full sanitizing affected systems.
Employee security awareness tactics that work
It may seem like an uphill battle, but there are ways businesses can arm their employees against these and other devious methods attackers use to scam businesses out of sensitive information or their cash.
Here's what to consider while evaluating a security training awareness vendor or creating a program of your own.
1. Start on Day One
When a new employee comes onboard, security training typically takes a back seat to filling out HR paperwork, being assigned to a work area and getting issued a laptop. Brandon Czajka, virtual chief information officer at Switchfast Technologies, believes in getting employees ready for the cybersecurity threats they'll encounter during any given workday from the moment they accept a job offer.
"There are several security training vectors available out on the market that can easily be incorporated into an organization's new hire onboarding process or used as a frequent means of keeping these threats front of mind," Czajka said, noting that many are similar in this regard.
2. Watch emerging threats
The cybersecurity landscape can change drastically in no time at all, that's why it's important to use a security training awareness vendor or service that keeps its finger on the pulse of the market so that employees don't wind up blindsided by the latest scam.
"Ultimately, it is best to select a training platform that not only defines past data breaches and how organizations responded to them – learning from past mistakes – but also one that keeps the training material up to date with new breaches as they occur in real time," Czajka said.
3. Practice makes perfect
Simulations are used to sharpen the reflexes of air pilots and military personnel in challenging situations and to teach them how to respond. Similar information security training can expose employees to the latest deceptions and attacks, helping them guard against risky behaviors that can lead to data breaches.
Cofense's Robinson advocates a similar "learning by doing" approach to block security threats that workers may encounter during the course of their jobs.
"This is best accomplished through the use of active threat simulations that provide the end user an experience they will remember and a new action to take; in the case of phishing, the new action is reporting [the threat]," said Robinson. Organizations that fail to instill this mindset lose the ability "to address and mitigate threats in real time," he added.
4. Explain why
Learning with the immediate feedback provided by security simulations can help concepts stick, but companies can go further by making it clear why the training is important.
"User engagement is further driven by transparency within an organization," Robinson said. "To that end, awareness and training materials need to clearly outline why security is important both at work and at home. In other words, make the training personal."
5. Fix the password problem
Weak, reused and easily guessed passwords continue to be a major security weak spot. A 2017 study from F-Secure found that 30 percent of CEOs had a service linked to their company email hacked and the password leaked. Another survey from Dashlane found that nearly half (46 percent) of employees use personal passwords to protect company data.
Making employee security training engaging
If you want employee security awareness training to work, you need to learn how to engage your audience. Here's how.
Know your audience
Messaging matters, and effective training programs tailor their content to their audiences.
"The message is different for a group of government internal auditors than for a room full of COs from large companies," Security Mentor's Lohrmann said. Other factors to consider include jargon, current hot-button issues, the order in which speakers or instructors appear and topics to broach, along with preparing for questions that are likely to be raised.
Motivate for change
"This is all about understanding culture, communication and emotion," said ISACA's Spitzner. "Unfortunately, a lot of technical people are not strong in this area; this is where you need communications or marketing majors."
Unleash your inner storyteller
Droning on about the technical aspects of a cyberattack is a surefire way to lose an employee's interest. "Audiences love cyberwar stories," Lohrmann advised. "People remember stories much more than facts and figures."
Make learning interactive
Get the crowd involved to help employees retain the material presented to them. At the very least, ask for a show of hands and pepper sessions with questions for a more engaged audience, said Lohrmann.
Ever walk out of a training session without learning something new? Avoid this by presenting content "in a fresh way with a new twist, facts, figures, stories, etc.," Lohrmann advised. "Offer fresh insights or practical tips that the audience can implement right away to help at home and work."
What is the point of raising staff security awareness if a program falls short on the "awareness" part?
"You need the ability to measure those changes in behavior and the overall impact those changes are having to your organization," cautions Spitzner.
Effective online training
The secret to good and effective online training is keeping it "brief, frequent and focused on a single topic," Lohrmann said. Additionally, it should be ongoing to help users keep up with the latest trends. Echoing some of the themes above, it should also be engaging, entertaining and interactive.
Employee security awareness training vendors
Here are some vendors that can help you implement an employee security awareness training program:
- Wombat Security
- Symantec Security Awareness
- Digital Defense
- Inspired eLearning
- Barracuda PhishLine
- Global Learning Systems
- InfoSec Institute
- Security Innovation
- Security Mentor