It is well-known that people are the most important element of cybersecurity, yet many security awareness training programs fail to deliver the expected results. Why do employees fall into the same traps over and over, despite the regular training that companies put their users through?
The fact is, human error is a common and recurring cause of security breaches. In 2018, a whopping 88 percent of the data breaches reported to the U.K. Information Commissioner’s Office were attributed to human mistakes.
For cloud services, where strong security is a crucial requirement, the consequences can be dire. Cloud services are built with security-by-default configurations, yet over the last year, a number of cloud-related data breaches made the headlines, mostly as a result of users making changes without enough knowledge or concern about the consequences. The “2019 IBM X-Force Threat Intelligence Index” noted that “human error such as misconfigured cloud servers, unsecured cloud databases and improperly secured rsync backups were responsible for 43 percent of publicly disclosed misconfiguration incidents, resulting in a more than 20 percent increase since last year.”
Mitigating human errors, either accidental or induced by cyberattacks, is as essential as having solid technical controls. People are still the weakest link in the security chain, more than vulnerabilities on technology platforms. Meanwhile, attackers are growing increasingly sophisticated and achieving never-before-seen volumes and speed, with targeted attacks to individuals and specific end-user groups.
Why Are Companies Investing in Security Awareness Training?
There is a new demand for security awareness training as the market shifts from simpler, passive education toward a people-centric security strategy to address the needs of different user populations with different objectives, triggers and learning styles. This is a fast-growing segment of the security market that analysts have estimated to reach $10 billion by 2027.
Most companies have adopted security awareness training, from colorful posters advising users about bad password practices to periodic cybersecurity trainings that everybody has to complete every year. Yet most security organizations are struggling to prove the effectiveness of their security awareness programs, and the return on investment (ROI) of cybersecurity training.
Common barriers to success include an outdated perception of security as a specialized matter managed by a dedicated team and a one-size-fits-all approach that doesn’t consider the varying motivations and needs of different user segments. Assuming that security training is a quick fix is another common fallacy, as training needs to be reinforced periodically and aligned to evolving threats and vulnerabilities.
Delivering a successful security awareness training program goes beyond the security team. It requires a multidisciplinary effort across the organization, addressing people-related vulnerabilities and mitigating human-centric security risks with the right methods, tools and metrics.
An Overview of the Security Awareness Training Market
The market size for computer-based security awareness training in 2018 was around $480 million, and is expected to grow to around $660 million (47 percent growth) in 2019, according to Gartner.
As mentioned before, information security has been focused on renovating its technologies to help enable and securely perform business. However, renovation alone cannot protect the organization from exposure to social engineering or improve security culture. Security education is key to addressing social engineering and helping people recognize the potential risks of these attacks.
To address the risks, start by dividing your users into three categories:
- Management — Managers should be able to direct their employees to deal with everyday threats and foresee the risks that employees should be most aware of.
- Technical users — Technical users can have the biggest impact because they are responsible for delivering security by design. They should be able to continuously learn technical aspects of security and develop proper remedies to new threats.
- End users — End users should be able to understand what security entails in their daily work environment and distinguish between normal and abnormal activity.
When all three categories are integrated seamlessly, security leaders can better manage the organization’s compliance and risks and enable secure business operations.
Today, the total addressable market is about $2.5 billion and is expected to grow 40 percent every year until 2023. In this rapid and robust market, there are four categories of players that drive the market:
- Pure computer-based training players providing managed services. These players bring in products plus specialized services. Scaling and integrating these services into the larger security picture can be challenging, and pricing is always a concern. These entities tend to partner with managed service providers (MSPs), resellers and specialized players to deliver services.
- Big four and services providers. These vendors have the ability to scale, lower the total cost of ownership (TCO) for the client and offer subject expertise including quicker scale-up/scale-down. Services are integrated as part of overall security transformation services. Managed security awareness training is not usually offered as a separate service, but is built into larger consulting services. The big four do not invest in continuous management of security awareness and training.
- Small, niche players. Smaller players target micro/local markets and blend with the client team. These vendors rarely provide services to larger enterprises due to geographical constraints and an inability to deliver broad security services. There are many niche players, but they are often limited to their respective local or highly targeted markets.
- Do-it-yourself. This approach requires knowledge of the existing client environment, management and workforce dynamics. It may lead to higher costs and additional time, since the team must learn on the job. Hiring and retaining talent is another consideration; larger enterprises want to invest in their teams, but also look for productivity gains.
Your Security Awareness Program Must Address People-Centric Risks
Attack vectors are accelerated and multiplied by digital technology, expanding the attack surface well beyond the relatively simple phishing attack. Vulnerabilities related to user behavior can include misusing passwords, misconfiguring otherwise secure cloud services, disclosing inadvertently sensitive or confidential information on social media, or overlooking the dangers of movable storage, such as USB sticks.
According to IBM X-Force, inadvertent insiders represent one of the top threats of our time. These unwitting actors compromise company environments without malice; they leave “organizations open to attack … by falling for phishing scams or social engineering, and through the improper configuration of systems, servers, and cloud environments, and by foregoing password best practices.” According to FireEye’s “2018 Email Threat Report,” while email is still the preferred vector for cyberattacks, 90 percent of emails blocked didn’t contain malware, but exploited cognitive biases to press users to make poor security decisions. Tactics included impersonating a senior executive, pushing for urgency and creating a sense of familiarity.
At the most basic level, the methods for manipulating people’s behavior and tricking them into making errors have been the same since the dawn of civilization. For this reason, the Information Security Forum (ISF) emphasized the need for businesses to understand how psychological vulnerabilities are exploited and the proper ways to mitigate them. Understanding how employees make decisions in their daily roles and the cognitive biases that influence their judgment — from time pressure to decision fatigue — is the starting point to identify human vulnerabilities, define how to mitigate them and prepare users to protect the organization.
The individual’s critical role is cybersecurity is well-acknowledged. In fact, virtually every organization has, at minimum, a security awareness training initiative to address compliance needs and basic security requirements. However, there is a widespread perception that these programs are falling short of expectations. Understanding how your organizations values cybersecurity can bring interesting insights.
A common challenge is the misconception that security is a specialized, highly technical domain that is better left in the hands of the security team. For others, it merely represents additional, unwanted work that is easily ignored or quickly forgotten.
It can also be challenging to measure the success of a security awareness training program. This is partly because the impact of a cultural change is hard to quantify, and partly because chief information security officers (CISOs) themselves often lack good metrics. According to Forrester, despite their training, only 26 percent of global information workers “know what to do in the event of a security breach.”
The Organization’s Perspective
Security awareness training is nothing new, but it has traditionally been a very small portion of the overall security program. Often, the sole purpose is to satisfy compliance requirements and reinforce internal security frameworks designed to do the same. This is not an effective way to implement true security education, because it doesn’t speak to the individual’s critical role in protecting the organization’s assets.
As social engineering threats soar in both volume and sophistication, organizations have begun prioritizing security awareness training. This has led them to recognize the need to address a diverse range of factors in their security education initiatives, such as:
- User population;
- Threat type;
- Geography;
- Language;
- Culture;
- Industry;
- Return on investment; and
- Measurable effectiveness of the program.
Promote a Strong Security Culture, One User at a Time
Implementing a successful security awareness training program can be a multiyear journey, since it requires changing the culture and behavior of the workforce and careful consideration of the different needs and triggers of user groups. A successful program is built on continuous, active engagement of all employees, with top management leading by example.
Security training must address human-centric vulnerabilities at their roots. That means educating users about basic security hygiene to remove the causes of poor decision-making, such as complicated procedures that force users to take shortcuts.
Finally, it’s crucial to consider that different roles may have different cognitive biases, training needs and learning styles. What works for a call center operator may not suit a software developer, and a salesperson may fall for different types of attacks than a back-office administrator.
No matter the roles involved and the type of training required, one thing is certain and universal: Preparing your organization to identify and react to cyberattacks and avoid dangerous errors is a cornerstone of cybersecurity today.
Associate Partner, IBM Security