Your organization needs to take security awareness training (SAT) more seriously. I mean truly serious, really serious, and not relegated to some quasi-, semi-serious status that the vast majority of organizations give it today.
I know I work for a company that is dedicated to security awareness training, much of which seeks to decrease the risks from social engineering, and we stand to uniquely benefit from more organizations following my advice but hear me out.
Computer Security Is Risk Management
Computer security is about risk management. You can’t get rid of all risks, so our job is to enumerate the various risks and focus on mitigating the ones most likely to cause the greatest probable damage in a given timeframe. The top potential damage-causing threats and risks should be mitigated first and best. Nothing else makes sense.
Social Engineering Is the Number One Problem
It is clear that social engineering and phishing is the number one security problem for most organizations, and it’s been that way for the entirety of computers for decades. Survey after survey repeatedly shows that social engineering and phishing is the top threat to most organizations. A recent UK survey showed that at least 79% of successful malicious attacks were accomplished using phishing. Javvad Malik, Security Awareness Advocate at KnowBe4, did a meta-study of a 100 other computer security surveys by other organizations and found that no matter what the study found in exact percentages, they ranked social engineering and phishing as the top computer security threat.
There are a lot of ways you can be attacked, including unpatched software, password attacks, man-in-the-middle attacks, eavesdropping, misconfiguration, insider attacks, and so on. But social engineering and phishing is the popular root cause for successful data breaches by a huge margin.
The question is, do you truly feel your organization is treating it as the number one threat? Most organizations aren’t. They are treating it as a top risk, but only give it budget and focus as if it were a moderate problem or only minor part of the top problems - but not as THE number one problem! This fundamental misalignment of risk and mitigation is the primary reason cyberattacks are so successful.
Your Policy and Technical Controls Will Fail Multiple Times
Every cybersecurity risk must be met with a multi-layered, defense-in-depth, best combination of policies, technical defenses, and education, to prevent, detect, and recover from cybersecurity events. I cover it better here.
There is no doubt that despite your best efforts to prevent social engineering and phishing from reaching your end-users and co-workers, that some amount of “badness” will reach your end-users. I’ve been hearing for over 30 years how someone has invented some new defense that will make phishing a problem of the past. But solutions come and go and still social engineering and phishing ends up reaching end-users despite everyone’s best efforts to prevent it. If defeating social engineering or phishing was an easy thing to prevent, we would have done it already and it would be a thing of the past. Instead, it is more popular than ever and causing more damage than ever.
Because your best policies and technical controls will absolutely fail, you need to train your employees in how to recognize cyber badness that makes it to them and how to handle, which is hopefully to report, delete, or at least ignore. Hopefully, they report it to a centralized collection point so IT security can be aware of the occurrences, types, and amounts of social engineering and phishing reaching co-workers. We have a free Phish Alert Button tool that works with Gmail and Microsoft Outlook clients to help simplify and automate that process.
SAT Needs to Be a Primary Focus
Since social engineering and phishing is the top threat to almost all organizations, it needs to be treated as such. It should get top management focus, more budget, and more resources. I’m not saying that a company needs to spend 80% of their IT security dollars on security awareness training, but the average organization likely spends less than 5% of their budget on security awareness training. And it is absolutely that fundamental misalignment of resources and mitigations against the top threat that allows cybersecurity to be so bad. SAT needs to be a primary focus. Senior management needs to make it a top focus. It needs to be something they are thinking about all the time. CEO’s and Board of Directors need to ask about it every reporting period.
Much of this begins by letting senior management know that it needs to be a top focus. Most senior managers and C-Levels see SAT as just a small part of their cybersecurity defense. They need to understand that social engineering and phishing is the number one threat and how you plan to focus on that reality. And that means that the entire organization needs to recognize that social engineering and phishing is THE top threat and how important it is to focus on a great SAT process. You need to reset everyone’s understanding of the top cybersecurity threats and how some threats are bigger than others. And then the top threat needs to be focused on like it is the top risk, with frequent updates on how mitigations are working. If that isn’t happening now, you’re doing it wrong.
You Need Full-Time Dedicated SAT Staff
If you don’t already have this, you need one or more people dedicated to security awareness training in your organization. If SAT is the part-time job of someone then you’re doing it wrong (at least for any organization of moderate size or larger). If social engineering and phishing is your number one threat, it only makes sense to hire someone who’s only task is to best deploy and manage security awareness training.
I can understand how a moderately-sized organization might not be able to afford the expense of a full-time, dedicated, employee running an SAT program. But what is the cost of just one ransomware event? Probably more than the cost of a dedicated FTE (full-time employee). If you truly can’t afford the cost of a dedicated FTE, hire a firm that can be that resource for you. That doesn’t mean hiring a firm that provides SAT services, checking the checkbox, but then seems to do it part-time. You want to hire and pay a firm that acts like it is that full-time, dedicated SAT FTE that you needed in the first place. They need to become an integral partner with you to defeat the number one threat, who can focus on that threat in the way that you need them to. There are a lot of good cybersecurity partners out there. Give your business to the one that understands the importance of SAT and is “in your face” with how they do SAT.
SAT Needs to Be Aggressive
Your SAT needs to be aggressive. Giving training once a year or once a quarter is essentially the same as not doing anything. You need to do comprehensive cybersecurity training for every newly hired employee and the annual thereafter. That comprehensive training should be at least 30-45 minutes long and cover a lot of popular cybersecurity subjects (e.g., strong passwords, patching, locking your screen when away from your device, and phishing, of course). Then every employee is given at least monthly or weekly training. This should focus on mitigating the most popular types of cybersecurity attacks and can be much shorter in duration (i.e., 2-5 minutes). That training should be followed by simulated phishing campaigns that measure the success of and reinforce the learnings. Simulated phishing campaigns are part of the education.
SAT Needs to Be Measured
All cybersecurity mitigations need a metric and need to be measured over time. It starts by tracking who takes what training and finding out who is lagging. Conducting simulated phishing tests helps you determine who is more susceptible to social engineering and phishing. If done maturely, you can assign a “risk rating” to each individual employee (see an example of KnowBe4’s Virtual Risk Officer implementation). Risk scores should be able to be calculated for each individual employee based on the training they took, how well they did on simulated phishing campaigns, and their personal level of risk to the organization based on their role and duties. Each individual risk score should then be summarized for the department, business unit, location, and organization overall. And that risk score should be trackable over time. If you’re doing it right, that risk score should lower over time showing senior management that their investment and approach to mitigating cybersecurity risk is working.