Right Tools, Right Training and Right Trainers Essential to Creating a Culture of End-to-End Security
Anurag Lal, President and CEO of Infinite Convergence.
The digital transformation of work and the distributed nature of the workforce is expanding the cyberthreat landscape, making organizations more vulnerable to cyberattacks. A historic increase in cybercrime fueled by the pandemic continues to wreak havoc in enterprises. According to Accenture’s State of Cybersecurity Resilience 2021 report, security attacks increased 31% from 2020 to 2021.
In an environment where cyberattacks are growing in frequency, scope and severity, it is critical for enterprises to create an end-to-end security culture. Achieving this not only requires technology designed to secure the enterprise but a focus on employee cybersecurity awareness training and investment in expert cyber staff resources to develop and deliver this training.
Today, evolving threats and changing technology are elevating security awareness training to an operational imperative. Bad actors, looking to exploit a changing work landscape, are increasingly targeting employees to gain entry into business systems and networks. This is happening because cyber criminals are successfully using employees as an entry point for accessing sensitive business information and data. According to Verizon’s 2022 Data Breach Investigations Report, 82% of breaches in 2021 involved the human element. The report noted that “whether it is the use of stolen credentials, phishing, misuse or simply an error, people continue to play a very large role in incidents and breaches alike.”
Security awareness training can lower the chance of an incident like a data breach by 70%. However, 62% of businesses are not doing enough cybersecurity awareness or phishing resistance training. That’s surprising considering the current threat landscape and research which indicates this training can deliver ROI for large organizations of 562%.
Enterprises that don’t invest in employee cybersecurity awareness training significantly increase their cyber risk exposure. That exposure could potentially cost much, much more than investing in awareness training and trainers. IBM’s most recent Cost of a Data Breach report found that data breaches now cost companies $4.24 million per incident on average – the highest cost in the 17-year history of the report. These costs are expected continue to increase with Cybersecurity Ventures predicting that global cybercrime costs will grow 15% per year over the next five years, reaching $10.5 trillion by 2025.
The fallout from cyberattacks including damage and destruction of data, business disruption, lost productivity, theft of personal and financial data, and theft of intellectual property are just a few of the many reasons why organizations simply cannot afford to ignore employee cybersecurity awareness training.
To promote a cyber secure organization, enterprises should develop robust security awareness training programs that teach employees the importance of cybersecurity and how to spot and avoid cyber risks as well as tips for practicing good cyber hygiene in their daily routines.
Security awareness training should cover topics such as social engineering (phishing, vishing and smishing), password best practices, multi-factor authentication and safe remote working. Training should be mandatory for staff at all levels and be tailored to suit different roles. Enterprises should not approach this training as a one-and-done exercise. As cyberthreats continue to evolve, so too should ongoing security awareness training.
For cybersecurity awareness training to be effective, it is critical to hire the right teachers. Research firm Gartner notes that hiring “security awareness leaders with the right skills who know how to present information in a thought-provoking and engaging manner” will help employees learn faster and remember more.” The firm predicts that 60% of large organizations will have one in-house staff member dedicated to security awareness by the end of this year.
Security awareness trainers are pivotal for helping enterprises develop and implement training that builds a culture of cybersecurity where all employees have a sense of personal responsibility for protecting the company. Creating an “everyone is responsible for cybersecurity” mindset requires expertise in organizing and facilitating cybersecurity training, workshops, and events and developing regular company-wide communications on security-related topics and updates. Security training experts can also help enterprises monitor employee engagement with security education programs, adjusting training as needed to ensure employees not only know how to detect and deter cyberthreats but are putting this knowledge into practice.
Today, when “cyber perils” rank as the biggest concern for companies globally ahead of natural disasters, business interruptions and the COVID-19 pandemic, employee security awareness training and in-house cybersecurity trainers are operational imperatives for organizations large and small.
To proactively create a culture of end-to-end security requires enterprises to have the right secure tools, the right training and the right trainers.