Despite many companies investing more money than ever in advanced cybersecurity tools and technology, experts believe cyber-attack costs for US businesses will rise dramatically in 2023.
Professional cyber-criminals and nation-state threat actors carrying out highly sophisticated attacks continue to make the biggest headlines. However, based on trends, it’s safe to assume many incidents will still result from incredibly effective and hard-to-spot threats such as phishing and social engineering attacks.
Attacks such as these – despite requiring less technical ability – are still effective at getting past even the most advanced cybersecurity technology today because they prey on human error, which, according to a study by IBM, is responsible for 95% of all cybersecurity breaches.
To combat these threats and reduce the likelihood of human error leading to an incident, companies supplement their cybersecurity technology with employee training programs. When implemented effectively, these programs can improve employee cyber knowledge and reduce the risk of an employee falling victim to an attack. At a time when the average breach costs millions, this training is more important than ever.
Here are three tips to consider to help improve your company’s cybersecurity training program:
1. Simulate Attacks to Improve Behaviors
The old adage ‘practice makes perfect’ rings true, especially when it comes to cybersecurity training.
But how can companies practice spotting and preventing various types of cyberattacks? Through simulations!
There are few better ways to teach employees how to recognize, avoid and report potential threats than simulating the attacks they may encounter in the real world.
Thankfully, several companies and programs, many delivered in an easy-to-use software as a service (SaaS) model – exist today to help organizations strengthen their security by generating phishing, malware and other common cyber-attacks employees may face. These test campaigns are then carried out against staff members, who are required to spot and prevent these hacking attempts.
These simulations of real-world, relevant scenarios can help increase employee vigilance and better prepare staff for threats they may face in a no-stakes environment. An environment of positive reinforcement means employees are more likely to report suspected phishing/smishing attempts ⎯ even when it turns out their suspicions were unwarranted. This may mean more reports to check, but more aware – and wary employees.
2. Reduce Fear Fatigue with Small Steps and Add Context Around Threats
It seems like every week a new cyber-attack makes headlines. This inundation of news has led to a dangerous phenomenon known as ‘fear fatigue,’ defined as the “desensitization from repeated exposure to the same message over time.”
According to a survey conducted by Malwarebytes, 80% of the respondents reported some level of fear fatigue related to cybersecurity. This fear fatigue is dangerous and can result in careless behavior capable of leading to significant cybersecurity vulnerabilities and risks.
To combat fear fatigue and remind employees that their actions are critical to the overall security of the company, organizations can begin by taking small steps. Companies should consider starting by implementing company-wide password protocols. Mandating employees change their passwords every several months and implementing two-factor authentication are simple but powerful reminders for employees to be active participants in their company’s overall cybersecurity posture.
Companies could also consider adding context to communications around cybersecurity to help employees understand the real-world consequences of a potential incident. One example is noting the potential monetary impact a cyber-incident may have on employee bonuses and salaries, among other things.
3. Implement a Zero-Trust, Least-Privilege Environment and Become Secure by Design
Despite every company’s best efforts, relying on employees to prevent cyber-attacks will never be a completely foolproof plan. Therefore, every organization should also implement zero trust cybersecurity and an environment of least privileges.
At its core, the zero trust cybersecurity security model closely guards company resources while operating under the ‘assume breach’ mentality. This means every request to access company information or services is verified to help prevent any unauthorized network access.
Similarly, an environment of least privileges can safeguard against unwanted access to software, services, servers, hardware, etc. from accounts that don’t need that access. Ensuring proper access controls with regular assessments and updates helps restrict the attack surface significantly.
At a time when more companies are embracing long-term hybrid workplaces, zero trust and least privilege are powerful tools to help prevent and mitigate vulnerabilities.
Moving forward, organizations should create products and software that are Secure by Design, with safety features built in. Taking a Secure by Design approach means focusing on people, infrastructure and software development to enhance the company’s security infrastructure. If organizations follow this new model, it can help prevent and mitigate future cyber-attacks.