Humans are always the weakest link in the cybersecurity chain. Most cyberattacks involve weak or stolen credentials, or phishing emails that lure users into clicking malicious links or attachments. A Standard University study found that 90 percent of security breaches involve user error.
The transition to remote work since the onset of the pandemic has exacerbated the problem. Remote workers admit that they routinely open suspicious emails and links, upload company data to their personal devices, and use applications that aren’t approved by the IT department. It’s more imperative than ever that organizations take steps to raise cybersecurity awareness and ensure that users understand their responsibilities for protecting the organization against attack.
Many employees believe that security is the responsibility of the IT department, and don’t understand their obligation to follow best practices and company policies. Some don’t know how to recognize threats or what to do when they encounter them.
Cybersecurity awareness training can help organizations improve their security posture by helping individual users understand the role they play in effective cybersecurity. An effective training program also stresses accountability for following best practices and the organization’s cybersecurity policies.
Achieving Security Awareness Maturity
Most organizations have some form of cybersecurity awareness training, but often it is focused on specific types of threats. The training may be provided annually to meet regulatory compliance requirements.
However, a study by researchers from several German universities found that the benefits of security training are short-lived — users forgot most of what they learned in less than six months. An Osterman Research study found that users who received 15 minutes or more of training monthly were better able to identify and respond to threats.
Furthermore, threat awareness is only one aspect of effective training. The SANS Institute Security Awareness Maturity Model is a widely used benchmark for determining the maturity of an organization’s training program. The five levels are:
- Nonexistent
- Compliance Focused
- Promoting Awareness and Behavior Change
- Long-Term Sustainment and Culture Change
- Metrics Framework
In the 2021 Security Awareness Report, the SANS Institute found that 53 percent of organizations are right in the middle. They have developed training programs that are fine-tuned to address the greatest threats to the organization and to encourage users to actively follow security policies. The fact that more than half of organizations have reached this level of maturity represents significant progress over the six years that SANS has compiled the report.
How Technologent Can Help
Nevertheless, organizations still face substantial barriers when it comes to developing and implementing effective training programs. Often, the roadblocks come from the finance and operations departments.
Finance may be concerned about the expense of the program without understanding how investments in security awareness can reduce other costs. Operations may be concerned about lost productivity, organizational politics and employee pushback, and the challenges of implementing and administering the training. The operational team should play an active role in planning the program rollout.
In many organizations, the IT department is tasked with developing the cybersecurity awareness training program. While IT pros have the technical skills and knowledge of security threats, they may lack the time, resources and “soft” skills needed to make the program effective. Internal politics can also play a role in thwarting their efforts.
Technologent has specific expertise in developing security training and awareness programs as part of an overarching security strategy. Let us help you make every month Cybersecurity Awareness Month (not just October!) as you build the organizational culture and behaviors needed to protect against today’s threats.
November 19, 2021
Comments