Companies experiencing a cyberattack certainly are not thinking about fun when they deal with the results. There’s a good chance that the breach happened because security awareness wasn’t a focus for an employee who simply clicked the wrong link or accessed the wrong website. Employees need to be educated about cyber risks, but training can be boring and tedious.
An Expert’s Take on Cybercrime Awareness
Nick Santora of Curricula, a security awareness training company, offered some advice to help security leaders make training accessible, entertaining and effective. He also discussed how education can reduce the frequency and impact of cyberattacks.
Question: Why is cybercrime awareness education the best way to prevent future attacks?
Santora: According to a past IBM Cyber Security Intelligence Index report, 95 percent of security breaches are caused by human error. With stats like this, it’s hard to ignore the fact that there may be more to cybersecurity beyond the firewalls, antivirus, appliances and other tools used to protect businesses from cyberattacks. Humans play an integral part of an organization’s cybersecurity program, and we need to realize that humans will continue to become one of our biggest risks to our organizations. Our goal is to make people our biggest asset.
We can do this by making education a priority. From the boardroom down to the water cooler, cybersecurity needs to be a topic that we are all familiar with. Ignoring cybersecurity, especially at the leadership level, would be like saying, “I don’t know how to read.” Cybersecurity is an integral part of business operations and must be openly discussed throughout the organization. Leadership must understand that education about cybersecurity applies to everyone in the organization and is not just left to the IT or security staff to understand.
How can training make a difference in preventing cyber intrusions?
Santora: All it takes is a simple phishing attack or a curious employee to be the difference between a successful attack or not. Hackers use so many different attack vectors to bait employees. They use everything from free offers to steal account credentials to targeted phishing emails that look just like everyday business emails.
It doesn’t stop there: Leaking important data outside of the organization, removable media that is infected and even physical security are all part of the picture. Each employee plays an important role in the organization on defending against cyberthreats. It is important that your employees know the role they have in the organization and what they can do to help prevent a cyberattack.
What methods are companies currently using to train employees? Are they effective?
Santora: We know that cybersecurity education is important, so what is the challenge to educate employees so the training is actually effective? Let’s start with what most current security awareness training looks like and where the challenges are.
Most organizations treat security training as check-the-box type of activity. Security training is bunched together into a half-hour, death-by-PowerPoint presentation right when an employee joins the company. This is alongside dozens of other pieces of HR paperwork for the employee to complete. Right away, security is seen almost as a roadblock rather than an integral part of their jobs. The sad part is that this employee may never get another piece of security awareness training again, or if they do, it comes in December, along with all of the other HR paperwork that needs to be done.
So separating security training from the more general onboarding information onslaught can make it stand out?
Santora: Employees need to connect to the information in a way that is relatable to their personal lives. Most security training is put together either by HR or a team of lawyers, which makes it sound very corporate and not really identifiable from the employee’s perspective. What happens is, although the intent is great, employees cannot recall information that is thousands of words on a screen in legal language. They cannot connect with the information they are being told in a way that is personable and makes sense. They become overwhelmed with slides, images that are copied from a Google search and lengthy words on a screen.
So that brings me to content. Believe me — your employees don’t want to read a book about cybersecurity. They want to understand the basic principles and how it applies to them. Security awareness should be fun — not another boring training session that is to be forgotten just hours later.
Is there a best practice to get the message to employees that’s different from the standard jargon-based documentation?
Santora: In order to create great content, think about how marketing agencies deliver their message. They spend a significant amount of time on the message they are trying to deliver to their audience and make it as concise as possible. This is the same effort you should be doing in your security training. You also need to supplement that message with attractive graphics, videos, images and anything else that can grab the employee’s attention. This is not easy, and requires a team of dedicated designers, communicators and, most importantly, experts that know what message to deliver.
Employees need to be surrounded by security as it becomes part of their everyday environment. They should understand the decisions they make daily can affect the business that they work for, their peers and themselves. Subtle and concise communication is key to an effective program. Awareness is a long-term activity and requires the use of multiple media, channels and other interactions to attract an employee’s attention and make the message stick.
What should enterprises do to prevent cyberattacks such as WannaCry and Petya, and even social engineering?
Santora: One of the best investments an enterprise can make is to create a security awareness program. There is no reason to reinvent the wheel when there are security awareness companies dedicated to providing such as service. Let your organization focus on its core competencies and use a partner to help guide your security awareness program in the right direction.
Building a security culture in your organization is not going to happen overnight. [But] building a security culture will pay off for the future for your organization, and create a layer of protection that starts with your employees.
Lastly, reward and incentivize your employees for great security behaviors. Think about the ways your organization rewards employees in other areas. Think about motivation strategies with long-term incentives for your employees. This is only the beginning of the types of attacks we will continue to see targeting our organizations, so now is a great time to start building a strong cybersecurity culture.