Many businesses concentrate on technical measures to protect them against cyberattacks. They invest in firewalls, multifactor authentication, advanced email security solutions, and web filters to block attacks at source, yet often neglect the human factor and do not provide adequate security awareness training to their employees. According to the Verizon Data Breach Investigations report, the human factor is a component of 74% of all data breaches, so providing security awareness training is one of the highest-impact cybersecurity measures businesses can implement, and arguably provides the best return on investment of any cybersecurity measure.
Security Awareness Training Gives the Biggest Cybersecurity Bang for Your Buck
Coverage of scams, phishing, and malware in the media and public information campaigns such as Cybersecurity Awareness Month are helping to improve understanding of cyber threats but there are still significant knowledge gaps that need to be addressed. Further, multiple security awareness studies have revealed that many employees believe that they could spot a phishing attempt or scam, but their confidence is often misplaced. When threat identification skills are put to the test, many employees fail even simple tests and take actions that could easily result in a threat actor gaining a foothold in their employer’s network.
Increasing numbers of businesses are starting to appreciate the importance of training their employees and many provide security awareness training; however, not nearly frequently enough. While it was once sufficient to provide annual security awareness training, the cybersecurity best practice is now to provide ongoing training. Cybercriminals are constantly changing their tactics, techniques, and procedures, and a once-a-year training session is no longer sufficient. Training should be provided in small doses regularly throughout the year to keep employees up to date on the latest threats.
Security awareness training should be heavily focused on the ways that cybercriminals target individuals, such as phishing and social engineering, after all, these are the most common threats and the ones that employees are most likely to encounter. Employees should also be taught security best practices, such as how to choose strong passwords and the importance of doing so, always logging out of accounts when leaving workstations, and not using unauthorized software and hardware.
Study Reveals Major Gap in Cybersecurity Knowledge
The latter is an area where knowledge needs to be improved. Many employees choose to download software to their work devices that has not been authorized by the IT department. They also commonly use unauthorized cloud services and personal devices for work – collectively known as shadow IT. Shadow IT poses a significant cybersecurity risk. Personal devices do not usually have the same standard of security as work devices, and they are used for a much broader range of activities, which means a much higher risk of device compromise. When the devices are used to access internal resources or accounts, access could easily be given to threat actors.
Software is often installed by employees on work devices to help them work more efficiently. While the software can save employees time and effort, the software also poses a security risk, even when the software has been downloaded from a reputable vendor. Software updates are regularly rolled out to correct vulnerabilities, and if the IT department is unaware that software is in use, updates will not be applied and vulnerabilities are likely to remain unaddressed.
Shadow IT also covers unauthorized cloud services, even those provided by reputable vendors. Last year, Okta suffered a series of damaging breaches that were traced to an employee signing into their personal email account on a company-owned device. Through that attack, the threat actor was able to gain access to the Okta customer support system and attack at least 5 of Okta’s customers. A recent study by Kaspersky found that 85% of surveyed businesses had suffered a cyber incident in the past 2 years, and 11% of those were attributed to the use of shadow IT.
