By Suzanne Gorman, CISSP, CRISC
To reduce the risk of a cyberattack, organizations must confront the fact that humans are their biggest risk. With limited memories and susceptibility to emotional pressure, employees are prone to making mistakes that make companies vulnerable. The best way to protect your organization from cyberattacks is to train your employees regularly, so they have the relevant knowledge and skills to remember what to do if confronted with a potential attack.
Increasing costs of cyberattacks
Cyberattacks are everywhere. The IBM/Ponemon Institute’s 2021 Cost of a Data Breach Report calculated the average data breach costs in 2021 to be $4.24 million, a 10% rise from 2020 findings. Moreover, costs were even higher when remote working was a factor in causing the breach, increasing to $4.96 million. The United States was the top country for average total cost of a data breach for the 11th year in a row.
Business email compromise (BEC) was responsible for only 4% of breaches but had the highest average total cost of the 10 initial attack vectors in the 2021 study, at $5.01 million. The second costliest was phishing ($4.65 million), followed by malicious insiders ($4.61 million), social engineering ($4.47 million), and compromised credentials ($4.37 million). All of these statistics could be decreased with proper security awareness and anti-phishing training.
What is security awareness training?
Security awareness training (SAT) is an indisputable need for any company with employees and an online presence. SAT programs play a significant role in creating a security culture by teaching all aspects of cybersecurity and regulatory compliance procedures that are crucial to protecting organizational computers and other devices, systems and data. Leading courses present best practices in an engaging and memorable way, so learners understand the methods and are motivated to carry them out daily. A comprehensive program should cover the following topics, including the whys and hows of:
- Basic security hygiene, including IT policies
- Remote workspace and home office security
- Business email compromise
- Mobile device security
- Cybersecurity while in public (proper use of VPN)
- Data privacy, classification, handling and protection
- Spotting and thwarting malware
- Passwords protection
- Social engineering scams
- Online security
Numerous laws and industry regulations require security awareness training to ensure that employees have been taught basic security practices that protect organizational data. For example, HIPAA and the Gramm Leach Bliley Act (GLBA) both have security awareness training requirements, as do PCI DSS and ISO/IEC 27002. In addition, employees of the federal government and many state governments are also required to take annual SAT.
What is anti-phishing training?
Anti-phishing training is another essential cybersecurity topic for employees. Phishing attacks have increased exponentially over the last decade and now can be quite sophisticated and difficult to detect. Targeted messages, known as spear phishing and business email compromise, deliberately use tactics that evade anti-phishing software filters and often come from hijacked legitimate business email accounts. They are commonly used for information gathering, and people share confidential details because there are so few indicators that the messages are illegitimate.
While security awareness training usually touches on the risks of social engineering scams, the volume of learning material and practice opportunities in an SAT course focuses on protecting hardware, networks and data. In contrast, anti-phishing training is laser-focused on explaining the many common types of phishing messages, how to spot them and the actions to take to fend off their tricks and scams. This targeted attention is quite useful considering BEC scams caused the highest financial losses of all scams, as reported in the 2021 Cost of a Data Breach Report.
Fortunately, research indicates that training employees to recognize and report phishing messages is an effective mitigation strategy, especially when repeated at regular intervals to keep it top of mind for all employees.
Combining security awareness training and anti-phishing training
As we mentioned earlier, employee error is the most common cause of data breaches. People without IT expertise often don’t recognize threats when they occur, nor do they have a good understanding of the daily actions that leave a company vulnerable to an attack. Almost every list of data breach protections includes regular employee training – because it works.
When considering security awareness training and anti-phishing training, recognize that it is not an either/or decision. Both types of courses are proven means of changing risky employee IT behaviors that can lead to security compromises.
Use security awareness training to educate your staff about common dangers like unsecured networks and password reuse, while also demonstrating secure behaviors like using multi-factor authentication, regularly backing up data and avoiding printing sensitive data – especially when working from home.
Meanwhile, anti-phishing training is decisive for focusing users on the various types of phishing messages and their risks (fraudulent links, malware, credential harvesting, etc.) and providing targeted practice in identifying these messages among the volumes of daily emails they regularly filter.
All brains have an element of plasticity to them that allows us to learn by creating new neural pathways. As we age, our brains become less plastic, sometimes causing adult learners to require additional review to maintain new knowledge. Alternating courses so that employees receive training – ideally, in different formats – every few months is a practical means of addressing this fact of life while also reinforcing your organizational security culture and improving your company’s security posture.
For more information on Security Awareness Training and Anti-Phishing Training, check out available courses from Global Learning Systems in the OpenSesame course catalog.
Suzanne Gorman, CISSP, CRISC, is Vice President – Information Security and Risk Management Evangelist at Global Learning Systems, a leader in security awareness training and OpenSesame partner.
Watch OpenSesame’s on-demand webinar with Susan Gorman to hear more from the cybersecurity expert