Members of the board sit in a highly privileged position, and have access to some of the most sensitive corporate information around. However, statistics show that as many as 68% of those in FTSE 350 firms have no in-depth knowledge of how to keep that data secure. That not only represents a major security risk, but also reduces the chances of effective security awareness being adopted company-wide.
The C-Suite sets the stage for the culture of any organization, including how security savvy it is; this is exactly why the board must lead by example in embracing and promoting comprehensive cybersecurity training and awareness programs to employees as part of the overall defense strategy. As role models and frequent targets of attack themselves, there’s a two-fold impetus for getting board members on board.
Thirty-eight billion problems
There’s no doubt that organizations are under greater threat today from cyberspace than they’ve ever been. Trend Micro alone blocked over 38 billion threats in the first half of 2017. Many of these threats sought to take advantage of low levels of cybersecurity awareness among employees, knowing that all it takes is one click to let the hackers in.
That’s why phishing is so popular. In fact, over three-quarters (76%) of organizations that we polled at the start of the year with our State of the Phish report claimed to have been hit by such an attack, with more than half (51%) saying that the rate of attacks is increasing. Phishing can hand hackers the keys to the kingdom, especially if they manage to elicit privileged account log-ins, allowing them to access the corporate network, giving them a direct route to highly sensitive data.
Ransomware is another threat which often arrives in the form of a malicious email. These attacks are incredibly costly, with, for example, Danish shipping giant Maersk being set to lose up to $300 million due to global ransomware attack NotPetya. It takes just one user to open one malicious email attachment or click on a malicious link to infect an entire global organization.
That’s not to mention the countless times human error has led to serious privacy incidents; the website of UK data protection watchdog ICO has an exhaustive list of such cases.
Why training matters
With so much at stake financially, as well as from a brand standpoint, organizations can ill afford to allow data breaches or damaging service outages to result from staff error. That’s why board members must be made to understand that comprehensive cybersecurity training for all staff is essential for effective cyber-defense.
Board members need to lead these efforts, so they can act as role models within the organization, and to ensure that they’re prepared to deal with business email compromise and other targeted attacks. It doesn’t matter what type of organization you’re in: you are now in the cross-fire of cybercriminals.
It’s the cybersecurity department’s duty to spread this message to the board. In conversations with the C-Suite, it’s crucial to keep things short and focus on the business impact of poorly trained staff. But even if training programs get the green light, there are many options available, and not all programs will deliver the desired results.
Some training schemes don’t stretch beyond staff inductions or annual refreshers. Instead, it’s important to establish a continuous learning approach, using interactive bite-sized lessons throughout the year, followed by practical feedback. Regular reporting is also important to ensure an organization don’t lose sight of its objectives.
There are certain steps that some organizations are taking that are positioning them as cybersecurity leaders. The Royal Bank of Scotland (RBS) saw that they were experiencing an increase in “drive by” malware entering their system via email, so they implemented an ongoing, effective security awareness program to improve the bank’s 80,000 email users’ cyber-security skills. They initiated the training project in February 2016, and the results were staggering, with employee click rates on simulated phishing emails plummeting from 47% in August 2016 to 22% in October 2016. Today, RBS has fewer than 10% of their end users falling for simulated phishing attacks.
Behavioral change takes time, and it should not be seen as a tick-box compliance exercise. Your goal is long-term transformation of the corporate culture which evolves the organization, in time, to one where everyone understands the importance of strong cybersecurity.