Simple security awareness mistakes are behind some of the world’s largest cyber attacks. In just one minute on the internet, $2.9 million is lost to cybercrime, according to the annual Evil Internet Minute report from RiskIQ. As the scale of the internet continues to increase rapidly, so too does the threat landscape. Tactics such as malvertising, phishing and attacks using an ever-expanding range of technologies and strategies have become increasingly popular. However, it is often the threats from within the organisation that pose the most risk, highlighting the need for improved security awareness.
In fact, 52% of businesses admit that employees are their biggest weakness in IT security, with their careless actions putting businesses at risk. Last year, 60% of ICO-reported breaches were caused by human error and as such, a lack of security awareness remains a key issue for many organisations. Often, people are either oblivious to threats, or they become careless.
Being aware of these common security awareness mistakes and taking the correct steps to implement an effective awareness plan will help to educate, and empower employees to change their behaviours and protect your organisation from potential risk.
Security Awareness Mistakes to Avoid
1. Lack of Focus
The main goal of any security awareness program is to change behaviours and if your awareness program is to be successful, it must have clear objectives. These objectives will or should serve to uphold the reason for creating the program. They should be specific and should identify and address the weaknesses in your organisation, such as phishing, physical security and password safety.
2. Using a Single Stimulus
Many organisations make the simple mistake of focusing on a single element of cyber awareness, such as phishing or eLearning. While these areas are a critical part of protecting a business, the most successful cyber awareness campaigns adopt a variety of engaging methods to educate employees on their role in keeping the organisation safe and secure.
3. One and Done Training
Just 11% of organisations continuously train employees on how to spot cyber attacks, according to global research from Vanson Bourne and 52% perform training only quarterly, or once a year. In order to keep up with developments in the cyber threat environment, it’s important that awareness training is viewed as a continuous process that should begin during the onboarding process and continue throughout employment.
4. Out of Date Policies
An effective way to educate employees on the importance of security is a cyber security policy that explains each person’s responsibilities for protecting IT systems and data. These policies set standards of behaviour and outline expectations for employees. For example, without clearly defined policies on the use of removable media and personally owned devices, staff may connect devices to the corporate infrastructure that could lead to the import of malware or compromise sensitive information. However, effective policy and procedure management require far more than just creating a manual to sit on a shelf. Policies and procedures are living documents that should grow and adapt with a company. As such, ensuring policies are up to date is a crucial part of effective policy management and awareness. Regularly reviewing your policies ensures that they are consistent, effective and protect your organisation from risk.
5. Lack of C Suite Support
Protecting a business’ security is not only a job for the IT team but one for the Chief Executive Officer as well. The tone set from the top will ultimately be the driving force in creating a culture of enhanced cyber security awareness. In order to evoke change, an organisation’s senior management team must take ownership of cyber security and put in place the correct procedures and training that addresses all the risks.
6. Failure to Reward Success
Unfortunately, organisations can overlook those employees who are taking the precautions to stay safe online, often dismissing it as a responsibility that comes with the job. However, acknowledging employees who detect hacks and breaches with rewards and prizes is an effective way to motivate employees, incentivise your team and increase awareness within an organisation. This is exactly what an effective cyber security awareness campaign should be based on – engaged employees who take responsibility for keeping the company safe.
7. Poor Incident Reporting Culture
If employees are unclear about the consequences of reporting, they may fail to report an incident, or delay reporting it to the appropriate person. An employee reporting a potential security incident should be recognised as a positive event that enables the organisation to resolve it promptly. Setting clear expectations will help people to understand the actions to take when detecting or responding to a potential incident.
8. Infrequent Reviews
Failing to review your awareness efforts means there is no way to know whether your awareness campaign is truly successful in achieving its goals. This is essential to uncovering security awareness mistakes and areas where technology and processes can be improved. For example, phishing simulations enable organisations to review just how susceptible their company is to fraudulent phishing emails and helps identify staff that require additional training. By determining what is working and what is not, you can tailor future tactics based upon lessons learned.
9. Lack of Engaging Content
A report from Gartner found 70% of business transformation efforts fail due to lack of engagement. Telling users to be more vigilant about tailgating and opening messages from unknown sources is simply not enough to protect users from today’s sophisticated threats. Instead, cyber security awareness should be engaging and informative to ensure that staff understand what is required of them, and the importance of their role in safeguarding the organisation’s sensitive data. To help reduce the chance of security awareness mistakes; campaign posters, eLearning courses, gamification, simulated phishing attacks, quizzes, and pocket guides can be used to increase user awareness and compliance in an engaging way.
10. Unreasonable Expectations
Cyber awareness should be treated as a continual process that will evolve with time which is why it is important to set realistic expectations about what can be achieved. While it would be great if security awareness could prevent all incidents, it is simply not realistic. However, by implementing a hybrid approach to cyber awareness, organisations can effectively engage employees, encourage behavioural change and reduce the chance of costly cyber security awareness mistakes.
MetaCompliance specialises in creating the best Security Awareness Training available on the market. Our products directly address the specific challenges that arise from cyber threats and corporate governance by making it easier for users to engage in cyber security and compliance. Get in touch with our Security Awareness Specialists for further information on how we can help transform cyber security training within your organisation and reduce the chance of costly cyber security awareness mistakes.