While a talented 24/7 security operations center using good technological tools can prevent the vast majority of threats, your people outside of IT security play a critical role on the front lines of your company’s IT security efforts.
Here’s an analogy: how good is your home security system if you invite a criminal into your home?
Not good at all. Immediately, all security goes out the window. It’s no different with cyber security
To use another analogy, let’s look at the medical model as applied to cyber security. You are going to come across bugs and viruses. It’s a fact of life. But it doesn’t mean you shouldn’t use good hygiene. The same applies to IT security. You should not just accept that hacks and breaches are going to happen, you should combat them and use good cyber hygiene.
Why You Need Cyber Security Awareness Training
The mantra among advanced cyber security experts for years has been “defense in depth, defense in depth.” Even with the greatest people and technology in place, the weakest link in your organization, when it comes to its IT security, are your own employees.
There are three main reasons why you need security awareness training:
- Regulatory Requirements
Let’s look at the first reason, regulatory requirements. If your company falls under any regulatory requirements, find out what’s needed from an IT security standpoint. If your company falls under GLBA, PCI, HIPAA or Sarbanes-Oxley, you will need some element of security awareness training. Regulations requiring security awareness training understand that people are a weak link in IT security.
- The Vanishing Perimeter (Thanks to Bring Your Own Devices policies).
The inherent vulnerability the human element entails is further compounded by companies, in an effort to reduce costs, allowing employees to bring their own computing devices to work (BYOD). BYOD, which we don’t recommend, along with the Internet of Things is responsible for the vanishing perimeter, which refers to your network being less defensible because people in your company are using devices and connections that are not under your security posture. The prevalence of the vanishing perimeter places an even greater emphasis on proper cyber hygiene, which can be taught by a good security training program.
- Constant Changes in the Threat Landscape
Finally, you and your team have to stay on top of the latest cyber threats out there that look to exploit the human element, especially social engineering attacks. For example, spam and email phishing rates decreased last year while manually shared social media scams increased from 2% to 80% in the same time frame.
Ready for some scary statistics? Let’s look just at spear-phishing attempts in 2014:
- 34% of spear phishing attacks are aimed at small businesses
- 25% of spear phishing attacks are aimed at medium sized businesses
- 41% spear phishing attacks are aimed at large enterprises
And the number of breaches are only projected to go up.
SIDENOTE: Our friends at the Infosec Institute have developed a sneaky little app that lets you conduct mock phishing attempts against your colleagues over at http://www.phish.io/. Go ahead, test your coworkers … but don’t tell them it was my idea – tell them it was yours.
The threat landscape changes constantly and security awareness is a perishable skill. What your employees implement a few weeks after training can be forgotten. They may also become complacent.
Look at this handy chart from our friends at The Infosec Institute:
Regular training resulted in a 80%+ increase in average retention rates. This can be the difference between keeping any personally identifiable information (PII) or sensitive data secure, to being the victim of a data breach.
Even if you’re convinced you need to increase your investments in cyber security awareness training, you may still need to convince your colleagues, executives, or board members on its importance.
Prevention goes a long way and good cyber hygiene prevents breaches. Training your employees on good cyber hygiene prevents them from being breached at home, which may impact them at work. A more secure world creates a safer world for business … especially your business.