How to Build a Cyber Security Awareness Program
Cybercrime has become a big business and it seems like no area of the world has remained unscathed from this growing threat. You only have to glance at the headlines to read about the latest cyber attacks, data breaches and the global mayhem that’s being inflicted from this digital crime wave.
According to the Ninth Annual Cost of Cybercrime Study released by Accenture and the Ponemon Institute, the average cost of cybercrime for an organisation has increased $1.4 million over the past year to $13.0 million, and the average number of security breaches in the last year rose by 11%.
New threats are emerging all the time and organisations can no longer just rely on their technological defences to keep them safe. Cybercriminals are using sophisticated social engineering techniques to by-pass these defences and all it takes is one employee to click on a malicious link and it’s game over!
Your employees are your first line of defence against cybercrime so it’s vital they are equipped with all the knowledge and skills they need to protect your organisation. A comprehensive Cyber Security Awareness program is the best way to educate staff and create a security first culture.
A successful cyber awareness program should address the following:
1. Identify Risks
The first step in creating an effective security awareness program is evaluating the threat landscape and identifying your top risks. If employees are targeted with the wrong training it can result in information overload, or more worryingly, organisations can leave themselves vulnerable to attack.
Every organisation has a different threat profile but some of the biggest threats across the board include phishing, malware and poor security practices. Phishing is behind 71% of all cyber attacks worldwide, and unfortunately, the common denominator behind all these attacks is human error.
No matter what threats your organisation is facing, taking time to properly identify the risks will help shape the messaging, delivery and effective targeting of your Cyber Security awareness program.
2. Change Behaviour
Within the last decade, training methods have changed dramatically. Organisations are no longer restricted to classroom-based training or a tick-box one day course to demonstrate Cyber Security compliance. And quite simply, these methods no longer cut it. Employees need to become engaged with the training to fully understand what is required of them and the importance of their role in the overall security of the organisation.
For training to resonate, it needs to be role specific, tailored, fun, and address the challenges that staff face on a day to day basis. Providing your employees with easy to consume content that is relevant to their role is a critical step in changing their behaviour.
The best way to achieve this is through a comprehensive security program that leverages a variety of different tools and techniques. Engaging videos, realistic scenarios, quizzes, policies and real-world phishing simulation tests will ensure that staff are fully trained to recognise and identify the most up to date threats.
Organisations can also utilise communications and marketing tools such as blogs, awareness posters and real-life case studies to reinforce key messaging.
According to Gartner: “By 2020, organisations that use a multipronged approach to Cyber Security Awareness will experience a 40% increase in overall employee security competency compared to their position in 2017.”
Clearly, a comprehensive and varied security program is key to mitigating risk and positively impacting employee behaviour.
3. Schedule Delivery of Training
Security awareness training should be an ongoing process and conducted at regular intervals throughout the year. Training employees once a year on Cyber Security is simply not enough to equip them to deal with the myriad of evolving threats. Security policies could be rendered useless unless organisations have a thorough and continual way of monitoring Cyber Security compliance.
Cybercriminals will launch scams to coincide with seasonal and monthly events, so unless your employees are receiving regular training on the most up to date security threats, they will not be able to recognise the devious new attack methods that are being used to target them.
To effectively change employee behaviour and create a culture of enhanced Cyber Security awareness, organisations should create an annual security awareness campaign that encompasses engaging videos, policies, quizzes, surveys and simulated phishing. This will help keep staff engaged and prevent them from getting fatigued with the same repetitive content. Organisations can tailor different awareness materials to different groups of users depending on the specific threats they face.
4. Test Effectiveness of Training
At the very start of a Cyber Security awareness program, organisations should conduct an initial baseline assessment to determine where the risks lie.
Once this has been established, regular phishing simulations can be conducted to find out just how susceptible the company is to fraudulent phishing emails and help identify staff that require additional training. Controlled simulation tests will help employees recognise, avoid and report potential threats that could threaten the security of the organisation.
However, to truly improve employee behaviour, organisations should run a full educational program in conjunction with simulated phishing campaigns. Quizzes and tests can be added to the end of training videos to help reinforce the key messaging and reduce risk.
5. Track Metrics
To determine if your Cyber Security awareness program is effective, your organisation will need to track the metrics and act accordingly. A detailed reporting structure will provide information on participation, engagement, and help assess the individual progress of employees or specific departments across the entire organisation.
This will enable you to identify which areas employees are struggling with and determine which members of staff could handle more advanced training. This data can be used to shape future training by providing feedback on what’s working and what’s not. For example, if your organisation is not seeing a drop-in security incidents, despite a security program in place, you many need to re-evaluate your approach and try a different method.
Gartner is the world’s leading Information Technology research and advisory company, and they have produced a detailed research paper entitled: 'Discover Three Critical Factors in Building a Comprehensive Security Awareness Program'. The paper provides valuable advice and lays out the key elements that should form the foundation of a successful awareness education program.
Download your complimentary copy here:
Research by Gartner