Cyberattacks on businesses increased during the pandemic and have continued at high levels since. Fortunately, businesses have responded and are taking cybersecurity seriously and have increased investment in cybersecurity. Data from ESG research suggests 65% of organizations are planning to increase investment in cybersecurity in 2023. While there is room for improving technical defenses to block more attacks and identify and address vulnerabilities faster before they can be exploited, it is important not to neglect the human element, which according to Verizon’s 2022 Data Breach Investigations Report, is a factor in 82% of data breaches.
While simple errors can easily lead to data breaches, many are the result of a lack of understanding of security. There is also a common view among employees that cybersecurity is the sole responsibility of the IT department. It is true that one of the roles of the IT department is to ensure that technical measures are implemented to block cyber threats and that vulnerabilities are identified and addressed promptly, but even companies that invest heavily in IT security still suffer data breaches, and that is because even sophisticated defenses can be bypassed.
Technology and hardware will block the majority of threats, but employees are still likely to encounter phishing, social engineering scams, business email compromise, and malware, and need to be provided with proper education to improve awareness of those threats and be taught the skills to allow them to identify and avoid cyber threats. The workforce needs to be educated on all aspects of security, not just how to identify a phishing email. Take password security for example. Password policies can be implemented, and employees provided with password managers, but as the recent credential stuffing attack on NortonLifeLock users revealed, many users of that password manager set a master password for their password vault that had been used elsewhere on the internet, which allowed the hackers to access their accounts.
By providing security awareness training, businesses can improve the baseline knowledge of the workforce, make sure everyone is aware of the threats they are likely to encounter, and security best practices can be taught, along with the importance of always following those best practices. The ultimate aim of security awareness training is to develop a security culture, where everyone in the organization understands that they have a role to play in the cybersecurity of the organization and that cybersecurity is not just a matter for the IT department.
Unfortunately, it is not possible to get to that point overnight. Providing a one-time security awareness training session is not enough and even conducting annual training sessions is unlikely to result in behavioral change. For training to be effective and to change employee behavior, training needs to be provided continuously, with short training sessions conducted regularly throughout the year. Training also needs to be individualized. There is no point in providing a single training course to every employee, as training needs to be role-specific and cover the specific threats each employee is likely to encounter.
The training also needs to be engaging to get employees to take the information on board, and training needs to be regularly reinforced. One of the best ways to do this is through phishing simulations, which test whether employees have understood the training and if they are applying that training day in, day out. Employees should also be empowered to help with cybersecurity by providing a phishing reporting button as an email client add-on, so they can alert the IT department when a suspicious email is encountered. Organizations that provide their workforce with training using the SafeTitan platform and conduct regular phishing simulations through the platform report significant improvements in security. Phishing simulation data also shows improvements in employee susceptibility to phishing attacks, with organizations seeing reductions of up to 92% in click rates by employees.
With 2023 looking like it will be another year with high levels of cyberattacks, January is the ideal time to review your security awareness training programs, make improvements, and implement a training program if you are not yet providing training to your employees. TitanHQ is here to help. Give the team a call today to find out more about how SafeTitan can benefit your business.