The pressures of being a CISO are extensive and extend well past concerns of incident response time. There are pressures of maintaining budgets, reporting improved performance to stock-holders, and when the breadth and number of cyberattacks are increasing, the challenges to find qualified prospects to fill a considerable number of unfilled positions. Where does cybersecurity training fit into a Ciso’s responsibilities, and how much time should be allotted for the task?
The most underspent sector of cybersecurity is employee training and how to defend against attacks. Cisos are seeing the value of awareness training and phishing simulation programs more each year. The Bromium report suggests that large enterprises spend an average of $290,033 per year just on phishing awareness training. But does that money spent correlate to results? The cost spent on the average phishing attack is $1.6 million, based on a study done by Cloudmark. That equates to an over five-to-one difference, clearly making cybersecurity awareness training well worth the time and money spent. By 2027 the market for security training is predicted to hit $10 billion, according to Cybercrime Magazine.
Stu Sjouwerman, CEO of KnowBe4, a security awareness training company, states, “In the last five years, something called new-school awareness training has taken off, which combines interactive training in the browser with frequent simulated phishing attacks straight into the user’s email inbox. This has proven to be very effective in creating a human firewall which is the last line of defense.”
In addition to being more effective than stagnant PowerPoint training, new style training has a benefit that appeals to the C-suite. “I would say that new-school awareness training has by far the best ROI of any security layer,” Sjouwerman maintains. “You see, Phish-prone percentages go from an average of 15 to 20 percent down to one to two percent after a year,” he adds. Cybercriminals ramped up phishing attacks by over 667% in March 2020, and they likely will continue to increase as employees move from office buildings to home offices during the continuing pandemic.
Awareness is the first line of defense, and each company that prioritizes it sees a significant drop in breach penetration. Employee ignorance of possible threats will trump phishing filters, network access controls, advanced firewalls, and endpoint scanning tools. Employee education lies at the core of the cybersecurity problem, and the education they receive has to come from reliable sources.
Chubb’s Third Annual Cyber Report states that 35% of small business employees learn protection against cybersecurity risks from mainstream media and 34% from family and friends. Only 19% report they know about cybersecurity protection through their employer. This means the vast majority of the workforce doesn’t have the necessary skills to protect their business. And this results in employees and individuals not being able to identify an attack when it is taking place.
Security awareness training should be an ongoing program requirement, and simulated phishing attacks should be by-weekly to be effective. Successful cybersecurity awareness programs incorporate a comprehensive and continuous methodological approach that considers an organization’s specific needs and objectives.
Kathy Hughes, CISO at Northwell Health: “Protecting patient data is our number one priority. I often ask the question when I give talks and presentations, “how many people do you think are on my security team?” You get answers that are 5, 10, 20, but no, it’s 67,000. (every single one of their employees).”
It’s logical that cybersecurity awareness begins and ends with every employee in an organization. A Ciso should be mindful of these three facts:
Work with human behavior, not against it. Two continuums drive human behavior; pleasure and pain. We all gravitate towards behaviors that promote joy while moving away from pain. With cybersecurity, the ease or comfort of staying the same becomes a greater risk than the pain from change. We don’t want to reach a point of suffering a data breach before we ask our employees to change their behavior. A Ciso responsibility is to provide the knowledge necessary to educate their organization on the painful realities of remaining stagnant.
Exploring tactics on how to change behavior is step one. Examine the importance of intrinsic motivation. Take into account the environment in which behavioral change is happening. Our environment makes a significant impact on our actions. Making changes to the employee’s atmosphere makes it easier to follow the rules without working to stay motivated.
Bad choices lead to undesirable outcomes. Minimize distractions, encourage water, healthy snacks, and regular breaks. Persuade task performance with convenient and simplified ways to report possible security breaches. Treating security awareness like a simple box that needs to be checked is erroneous. Effective security awareness programs need to be fun, supported by the executive and management, focused on changing the behavior of employees.
And before you ask your employees to change, you must be willing to do the same. Your organization’s security through the reach of your employees should be the priority. If you have been resistant to putting a Security Manager in place due to budget constraints, reevaluate.
Stolen or compromised credentials and cloud misconfigurations were the most common causes of a malicious breach, representing nearly 40% of malicious incidents. With over 8.5 billion records exposed in 2019, attackers used previously exposed emails and passwords in one out of five breaches. A Cisco should rethink its security strategy by adopting a zero-trust approach. Have Threatrix software in place which provides role-based access control. It authenticates users, and the extent of access users are granted.
The actions of employees are the critical factor above their knowledge. 40% of employees have admitted opening an attachment from an unrecognized sender. While it is difficult to change human behavior, it can successfully instill best practices for long-term behavior. The single most influential factor in a person’s working context is their relationship with their manager, so changing the context means managers doing something differently.
To increase a sense of autonomy, managers should involve people, get the tone right and offer choices. Present the requirements as a challenge instead of change, and appeal to their pride. Boost connection by involving everyone. Ask them why it matters and the benefits of change, explaining the reasons for change and making it personal and practical.
Your company needs to have a security culture. Not every employee cares. There will always be individual employees who think cybersecurity does not apply to them and will continuously ignore the rules. Some employees don’t care because your organization hasn’t told them that caring is a part of their job. Employees need education on the first day of employment that the organization requires a specific level of employee vigilance regarding cyber threats. Show employees how they are at risk at home and work and how their actions can make a difference in both locations.
Security firm Trend Micro surveyed more than 13,000 remote workers across 27 countries for its latest Head in the Clouds survey, which sought to compile an understanding of attitudes towards cybersecurity risks. 72% of respondents claimed to have gained better cybersecurity awareness during the pandemic, with 81% agreeing that workplace cybersecurity is partly their responsibility.
Despite this, the findings highlighted a disconnect between employees being more aware of risks and putting this knowledge into practice. 34% said they did not give much thought to whether the apps they use are approved by IT if it meant getting their work done. 29% said they used non-work applications because they believed the solutions provided by their company were ‘nonsense.’ Hence having a one-size-fits-all security awareness program is a non-starter.
This is where the pain on the continuum comes into play. Explain that each employee has a personal stake in the company’s data. Attackers don’t only seek out company information. Employees’ personnel data is also at stake.
In May 2020, the outsourcing group Interserve had hackers break into a human resources database owned by the firm and steal information on current and former employees. This included bank details, addresses, payroll information, next of kin, and pension information.
This is one of many breaches that have led to the confiscation of employees’ data over the last five years. Employees who don’t think they can’t be personally affected need to be educated about the reality of the world we all now reside in.
Like every aspect of a Cisos job, nothing happens overnight. Changing the security culture of your organization takes time. Have reasonable expectations with time-related goals for employee engagement. Continue on the path with a positive mindset and engaging activities, and your perseverance will pay off.