The Value of User Training

Modern businesses are comprised of people, processes, and technology. Effectively securing a business requires resiliency in all three areas, as neglecting one creates vulnerabilities, providing easy access for attackers to quickly undo all the hard work and resources invested into the other areas.

Traditionally, IT focused on the process and technology areas of cybersecurity that came naturally to technologists, such as intrusion prevention systems, firewalls, endpoint protection, multi-factor authentication, self-service password resetting, and identity management.

However, the people area, which is based on soft skills such as building user awareness and implementing training curriculums have often lagged in terms of focus and priority. This growing gap between the security of technology, and the resiliency of people has pushed threat actors to focus on human vulnerabilities, with between 85% and 90% of cyber attacks in 2021 beginning with social engineering techniques aimed at exploiting user behaviour.

Given the changing nature of cyber threats, modern businesses and IT providers alike can no longer afford to put their heads in the sand regarding their users’ cybersecurity awareness and skills.

Modern Threats:

The primary cyber threats faced every day by employees are phishing attacks. Phishing is a form of social engineering used to steal data or compromise usernames and passwords of employees. An attacker will send an email, instant message, text message or social media message impersonating a trustworthy source, such as a reputable business or even another employee.

Their intent is to trick the recipient into clicking on a malicious link to either install malware such as ransomware or provide details which would allow the attacker to gain access to corporate data and circumvent other cybersecurity defences. Once access is established, it is generally a matter of time before a data breach occurs, which can be devastating to a business.

In these credential-based attacks, the employee is the first and most effective line of defence, as technical solutions may not identify attackers using legitimate employee credentials to access and steal corporate data.

Similarly, business email compromise attacks, in which attackers appear as legitimate contacts and request for the business to update supplier or employee bank details to divert legitimate payments, are rarely detectable by technical solutions. This leaves the cybersecurity knowledge of employees as the only form of defence for the business. Due to their ability to avoid technical defence solutions, and the low level of cybersecurity training found in many organisations, business email compromise attacks are now the leading cause of cybercrime losses for Australian businesses.

Implementing an Effective Training Curriculum:

Implementing an effective cybersecurity training and awareness program does not have to be a costly endeavour, as security training should only takes a small percentage of the cybersecurity budget and can provide one of the best returns on investment.

Training can be made available to employees in many forms, including digital collateral such as user guides and infographics, interactive platforms like quizzes and gamification, and classroom-based tutoring.

When selecting a training methodology, businesses should consider how many bespoke topics need to be covered. Classroom-based training can be tailored extensively to meet very specific needs of a businesses, while interactive platforms generally provide curated offerings designed to meet regulatory and cyber -insurance requirements, while still allowing custom content to be combined with pre-made content. Off the shelf offerings are also available at low cost for smaller businesses with more generic requirements.

An effective security training curriculum contains four key elements:

1. Onboarding:

In the first few days after joining a company, employees should receive cybersecurity training covering their responsibilities, risks they will face in the job, and how to respond to threats.

2. Retraining:

Simply giving an initial overview during staff onboarding rarely has a lasting impact on habits. For it to be effective, staff should be trained regularly to refresh their knowledge, covering different areas of cybersecurity, as well as newly observed attack techniques.

3. Measuring:

Modern security training programs contain inbuilt mechanisms to test and measure their effectiveness. Regular simulations of phishing, social engineering, or malware outbreaks can highlight areas of strength and weakness in the curriculum. This can also show the ongoing improvements and return on investment of the training program.

4. Targeting:

Not all staff exhibit the same risk level to the organisation, so not all staff should be trained the same. Those with administrative credentials or access to finance systems may require more regular or intensive training, and if they perform poorly in simulations, they may be targeted for additional support.

Evaluating the ROI of Cybersecurity Training:

Evaluating the ROI of any cybersecurity investment can be challenging and viewing it through the same lens as traditional IT investments gives incorrect results. Traditional IT investments, such as a new website, drive business productivity and revenue, so their ROI can be determined based on costs vs. additional sales generated.

Cybersecurity investment, however, provides risk mitigation. It should protect existing productivity and revenue, rather than create it.

Cybersecurity is best viewed similarly to physical security measures. Locks and alarms on a warehouse will not provide a direct revenue increase, but they protect profitability by preventing break-ins and theft.

Cybersecurity investments work in the same way.

Cybersecurity training provides risk mitigation against many forms of cyber threat—business email compromise, ransomware, and data breaches are the three most costly. While average costs are available for each of these types of attack, they heavily depend on business size and revenue. When determining the ROI of cybersecurity training, a business should first work with its IT provider to determine the likelihood and estimated cost of each of these attack vectors.

IT and cybersecurity often focus on implementing new tools and solutions. While these are important, businesses must remember that 90% of modern cyber attacks are conducted against people, and are often not detected by technical solutions.

Fortunately, there is a low cost, high ROI solution to this problem—user security awareness training. While each organisation should conduct its own analysis of the costs and benefits of such a curriculum, given the drastic reduction in the likelihood of very costly risks, there are very few organisations who would not benefit from this investment.

CyberGuys is currently running a 30% off User Training discount for Brisbane based businesses- if this article has helped you identify weaknesses in your cybersecurity, contact CyberGuys today to discuss how we can help you.

Previous
Previous

Put Your Cybersecurity to the Test

Next
Next

Malice or Mistake- Understanding the Spectrum of Insider Threats.