The pressures of being a CISO are capacious and extend well past concerns of incident response time. There are pressures of maintaining budgets, reporting improved performance to stock-holders, and during a time when the breadth and number of cyberattacks are increasing, the challenges to find qualified prospects to fill a considerable number of unfilled positions. Where does cybersecurity training fit into the list of responsibilities of a Ciso and how much time should be allotted for the task?
The most underspent sector of cybersecurity is employee training and how to defend against attacks. Cisos are seeing the value of awareness training and phishing simulation programs more each year. The Bromium report suggests that large enterprises are spending an average of $290,033 per year just on phishing awareness training. But does that money spent correlate to results? The cost spent on the average phishing attack is $1.6 million, based on a study done by Cloudmark. That equates to an over five-to-one difference, clearly making cybersecurity awareness training well worth the time and money spent. By 2027 the market for security training is predicted to hit $10 billion, according to Cybercrime Magazine.
Stu Sjouwerman, CEO of KnowBe4, a security awareness training company states, “In the last five years something called new-school awareness training has taken off, which combines interactive training in the browser with frequent simulated phishing attacks straight into the user’s email inbox. This has proven to be very effective in creating a human firewall which is the last line of defense.”
In addition to being more effective than stagnant PowerPoint training, new style training has a benefit that appeals to the C-suite. “I would say that new-school awareness training has by far the best ROI of any security layer,” Sjouwerman maintains.“You see Phish-prone percentages go from an average of 15 to 20 percent down to one to two percent after a year,” he adds. Cybercriminals ramped up phishing attacks over 667% in March 2020 and they likely will continue to increase as employees move from office buildings to home offices during the continuing pandemic.
Employee ignorance of possible threats will always trump phishing filters, network access controls, advanced firewalls, and endpoint scanning tools. Awareness is the first line of defense and each company that makes it a priority sees a significant drop in breach penetration. Employee education lies at the core of the cybersecurity problem and the education they receive has to come from reliable sources.
Chubb’s Third Annual Cyber Report states that 35% of small business employees are learning about protection against cybersecurity risks from mainstream media and 34% from family and friends. Only 19% report they learn about cybersecurity protection through their employer. This means the vast majority of the workforce doesn’t have the necessary skills to protect their business. And this results in employees and individuals not being able to identify an attack when it is taking place.
Security awareness training should be an ongoing program requirement and simulated phishing attacks should be by-weekly to be effective. Successful cybersecurity awareness programs incorporate a comprehensive and ongoing methodological approach that takes into consideration an organization’s specific needs and objectives.
Kathy Hughes, CISO at Northwell Health: “Protecting patient data is our number one priority. I often ask the question when I give talks and presentations, “how many people do you think are on my security team?” You get answers that are 5, 10, 20, but no, it’s 67,000. (every single one of their employees).”
It’s logical that cybersecurity awareness begins and ends with every employee in an organization. A Ciso should be cognizant of these three facts:
Work with human behavior, not against it. Two continuums drive human behavior. Pleasure and pain. We all gravitate towards behaviors that promote pleasure while moving away from pain. With cybersecurity, the ease or comfort of staying the same becomes a greater risk than the pain from change. We don’t want to reach a point of suffering a data breach before we ask our employees to change their behavior. It is a Ciso’s responsibility to provide the knowledge necessary to educate their organization on the painful realities of remaining stagnant.
Exploring tactics on how to change behavior is step one. Examine the importance of intrinsic motivation. Take into account the environment in which behavioral change is happening. Making changes to the employee’s environment makes it easier to follow the rules without having to work at staying motivated. Our environment makes a large impact on our actions.
Bad choices lead to undesirable outcomes. Minimize distractions, encourage water, healthy snacks, and regular breaks. Persuade task performance with convenient and simplified ways to report possible security breaches. Treating security awareness like a simple box that needs to be checked is erroneous. Effective security awareness programs need to be fun, supported by the executive and management, focused on changing the behavior of employees.
And before you ask your employees to change, you must be willing to do the same. The security of your organization through the reach of your employees should be the first priority. If you have been resistant to putting a Security Manager in place due to budget constraints then reevaluate.
Stolen or compromised credentials and cloud misconfigurations were the most common causes of a malicious breach, representing nearly 40% of malicious incidents. With over 8.5 billion records exposed in 2019, and attackers using previously exposed emails and passwords in one out of five breaches. Ciso’s should rethink their security strategy via the adoption of a zero-trust approach. Have Threatrix software in place which provides role-based access control. It authenticates users and the extent of access users are granted.
The actions of employees are the critical factor above their knowledge. 40% of employees have admitted to opening an attachment from an unrecognized sender. While it is difficult to change human behavior, instilling best practices for long-term behavior can be successful. The single most influential factor in a person’s working context is their relationship with their manager, so changing the context means managers doing something differently.
To increase a sense of autonomy, managers should involve people, get the tone right and offer choices. Present the requirements as a challenge instead of change, and appeal to their pride. Boost connection by involving everyone. Ask them why it matters and what the benefits of change will be; explaining the reasons for change and making it personal and practical.
Not every employee cares. There will always be individual employees who think cybersecurity does not apply to them and will continuously ignore the rules. Your company needs to have a security culture. Some employees don’t care, because your organization hasn’t told them that caring is a part of their job. Beginning with their first day of employment, employees need to be educated that the organization requires a specific level of employee vigilance when it comes to cyberthreats. Show employees how they are at risk at home and work and how their actions can make a difference in both locations.
Security firm Trend Micro surveyed more than 13,000 remote workers across 27 countries for its latest Head in the Clouds survey, which sought to compile an understanding of attitudes towards cybersecurity risks. 72% of respondents claimed to have gained better cybersecurity awareness during the pandemic, with 81% agreeing that workplace cybersecurity being partly their responsibility.
Despite this, the findings highlighted a disconnect between employees being more aware of risks and them putting this knowledge into practice. 34% said they did not give much thought to whether the apps they use are approved by IT if it meant getting their work done and 29% said they used non-work applications because they believed the solutions provided by their company were ‘nonsense’. Hence having a one-size-fits-all security awareness program is a non-starter.
This is where the pain on the continuum comes into play. Explain that each employee has a personal stake in the company’s data. Attackers don’t only seek out company information. Employees personnel data is also at stake.
In May 2020, the outsourcing group Interserve had hackers break into a human resources database owned by the firm and steal information on current and former employees. This included bank details, addresses, payroll information, next of kin, and pension information.
This is one of many breaches that have led to the confiscation of employees personal data over the last 5 years. Employees who don’t think they can’t be personally affected need to be educated about the reality of the world we all now reside in.
Changing the security culture of your organization takes time. Like every aspect of a Ciso’s job, nothing happens overnight. Have reasonable expectations with time-related goals for employee engagement. Continue on the path with a positive mindset and engaging activities and your perseverance will pay off.