What are the objectives of cyber security awareness?

At the moment, you cannot go a handful of days without hearing about an attempted cyberattack or a successful breach. It is not just paramount for organisations to prioritise cyber security awareness and training, it is necessary.

Security awareness statistics

Let us start by painting a vivid picture of the current cyber threat landscape:

• In 2022, 493.33 million ransomware attacks were detected by organisations worldwide.
• 300,000 fresh malware instances are generated daily, 92% distributed through email, with an average of 49 days to be detected.
• The global average data breach cost was $4.35 million in 2022.
• The healthcare industry has been the costliest for breaches for 12 consecutive years, with an average data breach cost reaching $10.10 million in 2022.
• Phishing attacks are responsible for 90% of data breaches.
• 45% of LastPass survey respondents say they have not changed passwords in the last year, even after a security breach.
• As the number of connected devices continues to grow, the occurrence of IoT (Internet of Things) malware has skyrocketed by 87% in 2022 compared to the previous year, reaching an all-time high of 112.3 million cases.

What does security awareness training prevent?

Security awareness training is a proactive defence against a multitude of cyber threats that can potentially wreak havoc on an organisation. Let us run through a couple with some scenarios for context.

1. Data breaches: Data breaches are among the most damaging incidents an organisation can face. They can lead to the exposure of sensitive customer information, intellectual property theft, and severe reputational damage. Security awareness training equips employees with the knowledge and skills to recognise and respond to common cyber threats, reducing the likelihood of data breaches caused by human error or negligence. Consider a well-crafted phishing email landing in an employee's inbox, seemingly from a trusted source. Without security awareness training, the employee might unknowingly click on a malicious link, downloading malware or exposing information leading to a breach. However, with proper training, the employee recognises the signs of phishing, avoids falling into the trap and reports the incident to their security team, thus preventing a potentially devastating data breach.
2. Phishing attacks: Phishing attacks remain a favourite tactic of cybercriminals, accounting for a sizeable portion of successful breaches. These attacks often involve cleverly disguised emails or messages that trick individuals into revealing sensitive information, such as login credentials or financial details. Security awareness training empowers employees to spot the red flags of phishing attempts, such as suspicious email addresses, requests for personal information, or urgent, unsolicited messages. In a hypothetical scenario, an employee receives an email claiming to be from their bank, requesting immediate login details. Without security awareness training, they might comply, unwittingly providing cybercriminals with access to their account. However, with training, they recognise the telltale signs of a phishing attempt and report it, thwarting the attack.
3. Insider threats: Not all threats come from external actors; insider threats can be just as damaging. These threats may arise from malicious employees seeking to harm the organisation or from well-intentioned employees who make mistakes that compromise security. Security awareness training educates employees about recognising suspicious behaviour, reporting concerns, and understanding the potential consequences of their actions. Imagine a scenario where an employee, disgruntled due to workplace issues, decides to exfiltrate sensitive company data. In an organisation without adequate training, this insider threat may go unnoticed until it is too late. However, in a security-aware environment, colleagues and supervisors are vigilant for signs of unusual behaviour, leading to the early detection and prevention of the threat.
4. Social engineering: Social engineering attacks exploit human psychology to manipulate individuals into divulging confidential information or performing actions that compromise security. These attacks can take various forms, such as pretexting, baiting, or tailgating. Security awareness training arms employees with the knowledge to recognise and resist these manipulative tactics, reducing the likelihood of successful social engineering attacks. In a hypothetical scenario, an attacker posing as a delivery person gains access to an organisation's office by pretending to deliver a package. Without security awareness training, employees may inadvertently allow the attacker to enter restricted areas. However, with training, employees are trained to verify identities and question unexpected requests, making it more challenging for social engineers to succeed.

What topics does security awareness training need to cover?

Security awareness training should cover a wide range of topics to be effective. These include:

• Phishing and social Engineering: Teaching employees to recognise and avoid deceptive emails, messages, or websites designed to trick them into revealing sensitive information. Furthermore, raising awareness about tactics cybercriminals use to manipulate individuals into divulging confidential data or performing actions against their best interests.
• Password security: Educating employees on creating strong, unique passwords and the importance of regularly updating them, as well as promoting the use of MFA (multi-factor authentication) to enhance account security by requiring multiple forms of verification.
• Data Protection and the GDPR (General Data Protection Regulation): Explaining the principles of the General Data Protection Regulation (GDPR) or national equivalents and its implications for handling personal data. Training on secure data handling practices, including encryption, data minimisation, and consent management. Also, instructing employees on the proper procedures for reporting data breaches to comply with legal requirements.
• Mobile and remote security: Addressing security challenges related to smartphones, tablets, and other mobile devices and providing guidelines for securing remote work environments and remote access to company resources.
• Reporting incidents: Encouraging employees to promptly report any suspicious activities or security incidents to the appropriate channels within the organisation.
• Malware: Raising awareness about distinct types of malwares (e.g., viruses, ransomware), what they look like and how to avoid infection.
• Safe use of social media: Educating employees about the risks associated with social media usage, such as oversharing, social engineering attempts and managing their digital footprint.
• Physical security (Tailgating and Clear Desk): Teaching employees to prevent unauthorised physical access to facilities by unauthorised individuals thus keeping the physical realm safe. And promoting the importance of clearing desks of sensitive information to prevent data breaches.
• Data classification: Explaining how to categorise data based on its sensitivity, and the appropriate handling and storage procedures for each classification to ensure confidential information is where it needs to be.
• Supply chain and 3rd party risk: Understanding the potential cyber security risks associated with third-party vendors and suppliers and supplying targeted training to external partners to maintain a security standard.
• Cloud security: Educating employees on best practices for securely using cloud services and platforms.
• IoT security: Addressing the unique security challenges posed by Internet of Things (IoT) devices in the workplace.
• Seasonal and holiday cyber security risks: Identifying and mitigating cyber threats that may increase during holiday seasons or special events with timely training and awareness materials.
• Cyber Security Awareness Month: Recognising the significance of this annual event for promoting cyber security awareness and education and running challenges, champion programmes, and intensive workshops.
• Insider threats: Understanding the risks associated with employees or individuals within the organisation who may intentionally or unintentionally harm its security.
• Emerging threats: Staying informed about the latest cyber threats and vulnerabilities to adapt security measures accordingly.

What is the role of managers and leaders in awareness campaigns?

Managers and leaders play a critical role in promoting a culture of security awareness. They should:

• Lead by example: Demonstrate security-conscious behaviour to set the tone for employees. Complete training with your employees or even before them to show what your organisation’s standards are.
• Encourage reporting: Create an environment where employees feel safe reporting security incidents otherwise cyber breaches can fester and do extensive damage.
• Reinforce training: Continuously remind employees of security practices and their importance and encourage a security culture that regularly assesses itself with surveys and behavioural research.

How to measure security awareness

Measuring the effectiveness of security awareness initiatives is essential. This is where The Security Company's SABR (Security Awareness and Behaviour Research) tool comes into play. It provides quantitative data and analysis to assess employee behaviour, security culture, and security gaps. This tool allows organisations to tailor their training programs based on real data, ensuring a more targeted approach.

Working with the right partner

To truly excel in building security awareness, behaviour change, and a strong security culture, organisations should consider partnering with a reputable cyber security training and awareness company like TSC.

If you would like information about how The Security Company can help you to formulate a cyber security training and awareness program for your organisation or if you would like a demo of our products and services ... please contact our Head of Business Development and Sales,  Jenny Mandley.

The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.