If there’s one constant in the ever-changing cybersecurity landscape, it’s this: Your employees are typically the weakest link in your defenses. Regardless of the type of attempted attack, most will start with an effort to fool an employee into taking an undesired action, whether that’s clicking on a malicious link or transferring funds that will never be seen again.
For that reason, many organizations have made security awareness training mandatory, as it should be simply because so much is at stake. But even with a much larger percentage of the workforce having had some kind of training, ransomware and business email compromise (BEC) attacks continue to rise sharply. Where is the training going wrong?
What’s wrong with training?
In our opinion, one significant issue with much of the training being offered is too much focus on the what – for example, identifying a malicious link – and not enough on the how and why. While your team should be up to date on the latest methods of attack, they also need to be aware of the steps that lead up to that moment.
In other words, they need to understand the social engineering that makes them a target in the first place. The tendency is to see phishing and BEC attacks as a shotgun approach where someone sends 1,000 emails and hopes to fool a few people. That happens, but hackers are increasingly taking a very targeted approach. A given employee might be stalked on social media for a better understanding of which levers to pull to get them to respond to an attempt. And attempted attacks are increasingly timed to arrive at a moment when a worker is likely to be extra busy or otherwise distracted, say, heading into a weekend or holiday.
An employee who better understands how they might be specifically targeted is better prepared to resist an attack regardless of the methods used.
Making security awareness training better
How can organizations do a better job of protecting their vital assets? Most of the answers come down to culture:
For one, leadership needs to be committed to the importance of training. Employees will never take training seriously if upper management does not. Security awareness training is an ongoing process, not an event, and if leadership treats it as a box to be checked to satisfy the legal department or a cyber liability carrier, it’s destined to fail.
Second, every employee has different responsibilities and access to different assets. Yet many organizations use a one-size-fits-all approach to training. The stakes are likely to be much higher, and the methods quite different, in a social engineering attack directed at the controller versus the receptionist, for one example. Training programs should take those differences into account.
Finally, organizational culture needs to avoid the blame game for employees who do make an error. Punishing or calling out an employee over an inappropriate action will make other employees less likely to report their own errors. Since days or even weeks might elapse between the initial breach and an actual attack, as hackers poke around behind the scenes to locate vital data, prompt reporting is vital to reacting quickly.
Questions about security awareness training? Contact Hill Tech Solutions.