The first line of defense for data breaches in most organizations is to upgrade or add new antivirus (AV) software, anti-malware systems, IDS, firewalls, spam filters, security analytics and more. While all of these actions are definitely necessary, they aren’t enough to stop cyber attacks against your organization.
By far the most effective strategy in combating these attacks is also one of the most poorly implemented: security awareness training. The long list of “worst practices” for user education is almost endless – break room briefings while people eat lunch and catch up on email; short instructional videos that provide no more than superficial understanding; and the time-honored practice of hoping for the best and doing nothing.
Understanding the Threat
According to a recent study by Osterman Research, email is the top attack vector into organizations. Osterman places email in the lead with malware infections impacting 67% of organizations, with web-based attacks in second place at 63%. The primary email-based attacks include things like phishing and spear-phishing and some newer types of attacks, like executive whaling, where C-level executives are targeted and oftentimes are opening these suspicious emails due to the high volume of traffic they experience in their inboxes.
First Line of Defense – Security Awareness Training
In spite of all the layers of protection to prevent a data breach, there is a critical component to the equation – the users themselves. The root cause for most of the security breaches is the action of users of the technology.
In the KnowBe4 whitepaper, “How to Transform Employee Worst Practices Into Enterprise Best Practices”, there are 10 best practices outlined to shape a sustainable program that can add a layer of informed, educated and phish-savvy employees that can serve as your human firewall. Here’s a brief recap of what you can find in the whitepaper. You can download the whitepaper to learn more.
- Comprehensive programs work – many organizations will initiate programs that are superficial hoping that it will be enough. But it is imperative to have an understanding and commitment by leadership of the scale of the problem and the resources necessary to properly defend the organization.
- Develop a coordinated campaign – rather than relying on a once a year training or some simulated phishing of employees, combining these two tactics can greatly increase effectiveness.
- Establish a baseline – you have to know where you currently are with the number of staff who can be tricked into opening an attachment, clicking on a link or entering sensitive information.
- Gain buy-in – your leadership team, IT managers and HR representatives need to be involved and understand the importance of the training. They also need to hear results of the training regularly.
- Conduct random tests – this is important to ensure your data is reliable. A best practice is to select random groups using random schedules and random phishing templates. This eliminates “prairie dogging” where an employee notices a simulated phishing email and warns others in the office about it.
- Personalize emails – they are more believable. In addition to using employee names, use vendor names that employees recognize in your phishing campaigns. The more realistic your phishing attempts are, the better.
- Don’t expect miracles – a comprehensive security awareness training program won’t eliminate the entire problem but it will reduce it to a level where IT can find itself able to contain the outbreaks that do occur more effectively because there won’t be as many breaches happening.
- Avoid witch hunts – don’t ever use the results of a phishing campaign to single out specific individuals. It is best to keep the results to correct and train the organization as a whole.
- Continue to test employees regularly – data breach tactics are always changing so training reinforcement must remain a key component of your organizational security strategy.
- Provide thorough and interactive security training – to keep employees engaged, you must provide them with a balance of theory and application so they can apply what they learn in their day-to-day jobs.
User awareness and training are key to protecting your organization in the ever-evolving world of cyberthreats. Want to learn more about transforming your security awareness training into a best practices model? Download the KnowBe4 whitepaper now.