More than half (53%) of all C-suite executives say data breaches in their organizations are due to accidental loss by an external party or human error, according to "Shred-it's Ninth Annual Data Protection Report." In addition, 96% of Americans hold negligent employees at least partly to blame for data breaches at major US companies, the report found.
These types of mistakes have been costly, anywhere from thousands to millions of dollars, and the price tags keep growing. For example, the city of Riviera Beach, Fla., recently paid $600,000 to hackers to decrypt their files after one of its employee accidentally clicked on a phishing link that delivered ransomware to its computer systems. And Moody's recently estimated that the Equifax data breach — caused by the company’s negligence, many say — will cost it about $400 million in cybersecurity expenses and capital investments this year and next.
As threats continue to evolve, and cybercriminals become more sophisticated and targeted in their attacks, organizations that lack a mature security awareness and training program place themselves at serious risk. That security awareness managers need to rethink the ways (emphasis on the plural) they inform and educate employees about potential cyberattacks is nearly an understatement.
It's not all bad news, though. While awareness and training still has a long way to go, organizations are slowly coming around, and industry leaders are working hard to move the needle. Here's what some of them have to say about the latest trends in security awareness.
Awareness Is Not Training
To start, practitioners need to understand that awareness and training are not the same. "Just because I'm aware doesn't mean that I care," wrote Perry Carpenter, chief evangelist and strategy officer at KnowBe4, in his recently published book, "Transformational Security Awareness."
The point is one echoed in the Certified Security Awareness Practitioner course taught by Lisa Plaggemier, chief evangelist at the InfoSec Institute. "Processes and policies are fine, but if you're not winning hearts and minds and gaining buy-in from employees, it's probably a non-starter," she says.
Awareness is about providing information. Training is the act of engaging participants for the purpose of changing behavior. "Awareness is, 'Lock your car so your valuables are not stolen,'" says Alexandra Panaretos, EY Americas' cybersecurity lead for security awareness and training development. "Training is, 'This is why your car is a target from a criminal's perspective.'"
Reframing the Way Employees Feel about Security Awareness
Organizations have come to realize (and take seriously) that human error and social engineering are all too often the root of data breaches. Security awareness as part of an annual check-the-box computer-based training no longer cuts it.
"I can't think of any other industry that sees people as the problem quite as much as ours," Plaggemier says. "That's actually pretty sad when you think about it. I see technology as enabling humanity, not humans as ruining technology."
Informing and educating employees must be a business priority, and not doing so is a risk that the business should be held responsible for. Fortunately, industry influencers have started to transform the way enterprises think about security awareness, and organizations are catching on to the fact that people are constantly learning, so awareness and training need to be ongoing.
"Many times over, practitioners have seen that training in general is not effective," EY Americas' Panaretos says. "Micro-learning and point-in-time learning are really changing how the workforce works."
"It's important to understand how people naturally think, behave, express preferences, make choices, and adopt new beliefs if you ever want to be effective in shaping their security-related thoughts and actions," KnowBe4's Carpenter says.
Awareness and training has to be more than a regulatory requirement. For a program to be really effective, security has to be a part of the corporate culture. In addition, the content offered needs to be non-intrusive so employees don't feel the training interrupts their business responsibilities.
Whether it's putting out a security tip of the week that goes into some other briefing that employees have to read to do their job, or delivering a quick, humorous video, the key to successful awareness and training is making it relevant to the audience you are trying to reach. "Build it into the life of that person so that it's not seen as an extra duty," Panateros says.
Establishing the Role of Security Awareness Manager
Part of the reason why security awareness programs have not been successful is no one person or team of people has been charged with the task of informing and educating employees across the organization.
Even the roles that do exist aren't clearly defined, as Lance Spitnzer, director of SANS security awareness, pointed out in a May 21 blog post. Despite the NIST NICE Framework that is intended to define the roles of the cybersecurity workforce, Spitzner says he could not find a consistent title or an adequate description for the role.
SANS took on the task of cross-referencing the different job titles and duties to establish a singular one, the "security awareness and communications manager," that encompasses the various tasks currently assigned to myriad individuals who have a hand in security awareness and training.
"This is someone who is specifically responsible for selling the concept of cybersecurity to the workforce," Spitzner says. "In this role, their goal is to create secure behaviors throughout the organization and ultimately enable a security driven culture."
Security Programs that Work for Humans
Revamping an existing program or even starting a new one from scratch begins by talking to employees, Panateros says. "Ask them what they like and don't like about training in general — not just information security training, but training as a whole," she says.
Security awareness providers also need to work hand in hand with their human resources and training teams and be open to the idea that the current content isn't working. Accept that people might not like what is being offered and see that as an opportunity to get creative.
Carpenter advises companies to compile different strategies to store in what he calls the "security awareness leader's toolbox." The toolbox should include fresh and engaging content that ranges from videos to learning modules and microlearning, posters, newsletters, and even swag. And it all should be delivered through storytelling with a cultural connection that folks can take home with them.
"All these stories contribute to the story — the larger story of how your program is making a difference in the lives of your employees and to the overall risk posture and resilience of your organization," Carpenter says.
Image Source: Julien Eichinger via Adobe Stock