Almost daily, a cybersecurity breach makes the news, underscoring the importance of training employees to embrace their role in cybersecurity preparedness and response. An IT department can build a strong fortress of secure networks, hardware, and software, but a tiny crack in that infrastructure can result in widespread attacks on your networks and data, often due to human error. Studies show that 88% of data breach incidents are caused by employee mistakes.
Cybersecurity awareness is such an integral component in keeping organizations secure, yet awareness training is something that many organizations fail to prioritize. Even companies that implement security awareness training sometimes don’t get the expected results because the training is not engaging and memorable.
Register for our cybersecurity webinar with expert Suzanne Gorman of Global Learning Systems.
Organizations are increasingly at risk for cyberattacks
Social engineering, phishing and ransomware attacks are on the rise around the world. Globally, ransomware attacks increased by 151% in the first six months of 2021 compared to the first six months of 2020.
The bad guys only need to get one of your employees to click on a malicious link, and your systems and data are exposed. Not only do you risk financial and legal consequences as well as damage to your organization’s reputation, but recent cyberattacks have even caused human casualties. Gartner predicts that bad actors will move to weaponize operational technology environments for this very purpose in the next few years.
Your employees are the last line of defense in preventing a cyber breach, yet many workers don’t have the slightest idea how to recognize a threat.
Do phish testing to gauge security awareness
According to Cisco’s analysis of more than 620 billion internet requests from 190 countries, 86% of organizations had at least one user try to connect to a phishing site.
Simulated phish tests enable you to test employees’ security awareness and provide real-time remedial training when an employee falls for a phishing attempt. Implementing phish testing every month or so – and in different formats and languages – will keep employees vigilant and shore up your company’s defenses.
Review access protocols to prevent accounts from being compromised
Users love the freedom of having administrative rights on their local workstations. It lets them add or remove programs without reaching out to their IT department for assistance. This convenience also comes as a risk if their user accounts become compromised. Hackers could then:
- Install malicious software
- Move laterally around your network
- Disable antivirus protection
- Encrypt data that causes a ransomware event
Evaluate your company’s protocols for user access to proprietary systems and platforms. Be very selective in allowing administrative privileges on a workstation, and make sure employees understand the risks and their role in preventing attacks.
Secure privileged access to protect against cybercriminals
In an IT environment, “privileged access” – also referred to as “God-like privileges” – is a term used to designate special access or abilities above and beyond that of a regular user. Privileged access can be associated with human users as well as non-human users such as applications and machine identities. Protecting high-level admin accounts is a crucial component of a robust security strategy against external cyber threats, no matter the organization’s size or industry. Cybercriminals are looking for the big catch, and these accounts provide big wins for the bad guys.
As a best practice, privileged-access accounts should be reviewed to justify each user’s need. The accounts that remain should be closely audited to ensure proper use.
Don’t let your C-level officers fall victim to cyberattacks
Another major target is your C-level officers, who are 12 times more likely to fall victim to a cyberattack than other employees.4 They have the keys to the kingdom, and unfortunately, access to their accounts can provide an immersive amount of insight into the workings of an organization. Furthermore, C-level executives usually allow their administrators to access their passwords and many of their accounts. So, when a “whale phish” is presented to either party, are they trained to identify the threat and act accordingly?
Role-based training for organization leaders will educate the C-suite about their unique vulnerabilities and how to avoid compromising sensitive data.
Recognize and report security issues quickly
The longer a security incident goes unreported and not investigated, the greater the potential consequences. Employees need explicit instructions on how to report security incidents and suspicious behavior, and they need to know that they will not face ramifications for doing so.
Set up a phone hotline or email address to report security concerns and unusual behavior. Promote the hotline and keep it top-of-mind by placing stickers on every employee’s and consultant’s laptop or issuing mouse pads with security messages and hotline information.
Investigate suspicious behavior and malicious acts
Many organizations have had to deal with malicious acts caused by insiders, whether employees or consultants. As you train your employees to be security-aware, you also need to train them to be aware of their surroundings and report individuals who exhibit suspicious behavior.
Consider this actual security breach: An employee reported suspicious behavior of a co-worker who was sending out disparaging emails about the company. The legal team and HR decided that the event did not warrant a security investigation, but the offending employee was terminated. Months later, it was discovered that this individual was still sending disparaging emails but with information he would only know about if he still had access to the data center. This revelation prompted a forensic investigation. It turns out the employee had installed a keyboard capture program on each machine within the data center, and files were being sent to him remotely. The United States Secret Service was notified, investigated and an arrest was made.
Having an incident response plan in place will give your organization the framework to properly and thoroughly investigate reported incidents, including malicious acts.
Take these steps to remedy human error in cybersecurity
Security infrastructure and software controls are only part of the solution to protect your organization from cyberattacks. Your workforce is your last line of defense against hackers and should be your strongest. Therefore, training employees about their role in cybersecurity is key to changing behavior and creating a security-minded culture. Security awareness training is never a one-and-done training event; it is a journey with no destination, and it must be continuous to be effective.
Make sure your training addresses incident response and the responsibilities of participants in all departments and at all levels. Take participants through the process of dealing with a simulated incident scenario and provide hands-on training that will highlight flaws in your incident response plan.
Is it time for your organization to get started with security awareness training or elevate the effectiveness of your existing program?
Suzanne Gorman, CISSP, CRISC, is Vice President and Information Security and Risk Management Evangelist at Global Learning Systems, a leader in security awareness training and OpenSesame partner.