Eight ways to instill a cybersecurity awareness culture

William O’Connell, chief business security officer of ADP, kicks off National Cyber Security Awareness Month at the Organization of American States in October 2017. Today’s columnist, Stephen Burke of Cyber Risk Aware, offers eight ways companies can instill a more cyber aware culture to prevent serious breaches. (Credit: CC BY-NC-ND 2.0)

Security breaches are at an all-time high in the COVID-19 era, the result of attackers taking advantage of widespread health fears and economic uncertainty. This has had devastating, costly implications, impacting hospitals and businesses of all sizes. Corporate systems have been targeted with ever-increasing frequency, but the attackers still exploit the same vulnerabilities:  unaware people and unpatched systems.

This past August, fraud examiners worldwide revealed increases in different types of fraud risks since the start of the coronavirus pandemic. Some 47 percent reported a significant increase, and 36 percent reported a slight increase, that’s an 83 percent increase in global cyber fraud. During the first part of the pandemic, email scams related to COVID-19 reportedly increased in the triple-digits, and users were found to be three times more likely to click on a pandemic-related phishing email.

Attackers are still infiltrating networks, COVID-19 still rages and businesses are at a stress point. But it doesn't have to be this way. Research shows that having an effective security awareness training (SAT) program reduces the risk of a security breach by up to 70 percent. What do effective SAT programs look like and what’s the best way to deliver one? 

From a technology standpoint there are any number of network defensive tools available: DNS-based cyber security software, network intrusion systems, SIEM, DLP, antivirus, or web gateways, to name a few. All are useful and meet best practices, but none are 100 percent foolproof. Without securing a network’s prime vulnerability – the human element – an organization’s defenses can still crumble at the click of a button. It’s imperative that if a company wants to have an effective information security strategy it must embrace a human-centric approach. With every employee having access to an estimated 17 million files, a hacker can gain access into entire networks through a simple phishing email.

We know that more than 90 percent of data breaches are caused by human error, and a recent study revealed that more than 44 percent of employee mistakes are caused by a lack of awareness of human cybersecurity principles. Companies are most effective with training when cybersecurity awareness becomes part of the culture. They must offer the training at an employee’s exact moment of need: when they display behavior that puts the company in jeopardy and don’t even realize it. This creates a positive behavior change, reducing the risks businesses face and the likelihood of recidivism.

In August, a cybercriminal offered a TESLA employee $500,000 in cash or bitcoin to install ransomware, by either plugging in a USB drive or opening a malicious email attachment. The hacker was going to seek a $5 million ransom as they had allegedly done with other businesses. This attempt was thwarted because the employee reported the incident, which reinforces the critical nature of an effective SAT program.

Even with a training program in place, the real silver bullet comes with catching a potential breach at the precise moment an employee puts the business at risk. Scheduled training works by taking the problem and educating the staff about it, but this can only go so far. Businesses need real-time awareness training to address the problem right then.

Here are eight essential training and education considerations that can help create an effective cyber awareness culture:

  • Identify security champions across the business who will support the SAT program as an extension of the security team.
  • Ensure the security team can respond to any risky behavior an employee displays on the network, instantly! In this way they learn at the point of occurrence and will reconsider their behavior the next time.
  • Deliver additional formal training to staff who need assistance based on the results of cyber knowledge assessments and phishing simulations. There’s no need to give blanket training to every staff member.
  • Conduct at least quarterly phishing simulations to help staff learn what a real attack looks like and what to do if they receive such messages.
  • Spot when employees download free software and explain right there and then that this contravenes company policy and why it’s risky.
  • Explain to staff why they should not save data to cloud file sharing apps as and when it happens.
  • Advise employees why they should not access TOR networks before it’s too late.
  • Offer new staff during onboarding automated essential training and education to help prevent future risky behavior, saving people’s time by no longer having to do in-person sessions.

Companies need to take a holistic approach to cybersecurity. Build a strong cybersecurity awareness culture and facilitate behavioral awareness through cybersecurity education and training in combination with technical tools. Companies that take this approach will find that they can implement a fully-integrated cybersecurity program.

Stephen Burke, founder and CEO, Cyber Risk Aware

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.