Cyber Risk Aware Blog

The Importance of Benchmarking your Security Awareness Training Programme for Risk & Compliance Reasons.

[fa icon="calendar"] 13-Mar-2018 12:37:00 / by Julie Lhanang

Julie Lhanang

A company’s staff is the greatest untapped resource in the fight against cybercrime. Although research has shown that in 90% of successful cyber-attacks or more, there is an element of human fallibility involved, what those studies fail to mention is that a trained and vigilant staff could become the greatest barrier of defence against attack types: such as trojans, viruses, ransomware, and other electronic security threats.

You almost certainly already deploy some technical security measures in your own network defence setup. Nonetheless, technical scans, firewalls, and automated monitoring will never replace a well-trained eye. In our view, these solutions overlook the TRUE key to strong security: A company's own workforce.

A workforce which is truly cyber risk aware is one which is much less likely to ever fall prey to these intrusions. The clear majority of intrusions require an employee's assistance - and usually, that's unknowing assistance. Therefore, by training the employee body on the universal responsibility of security, not only do you raise their understanding and awareness, but you ward off employee apathy by actively involving them as part of a solution, rather than simply an ‘insider threat’.

The challenge, which our CEO discovered while working as a CISO in the industry, is this: how do you document the relative level of human security risk in a company, and turn that documentation into a strong argument for further investment into human security solutions? The answer, he discovered, lay in good risk and compliance reporting backed up by benchmarking.

Getting from Talk to Action.

Articles 39 and 47 of the GDPR requires that you provide ‘awareness raising’ and ‘training’ to your staff. That also means that going forward you may need to be able to demonstrate this.

Running security awareness assessments is the best way to document both the size of the risk to your business but also the progress you have made in raising awareness through training. Now you have hard evidence of how aware your staff are when it comes to either security risks or your policies on how to avoid those risks. With that data you are armed with a baseline for your business that you can work to improve.

There are many platforms available to create tests or surveys or assessments but the advantage of using a Security Awareness Platform to do this these include

  • - Relevant Security Content required to build out the assessments to select from
  • - Content regularly updated to reflect the changing nature and sophistication of threats.
  • - Different assessments can be delivered to different departments depending on risk profile
  • - Results can be used to target remedial training to those users who fail the assessment

This ability to deliver specific training to only those users who require it based on the results of assessments has two significant benefits

  • - It lowers the cost of delivering training due to its specific targeting of those who require it
  • - It improves the effectiveness of the programme because employees understand why they need to improve their knowledge.

Assessments need to be run pre and post training so that you can track the improvements and change in employee’s knowledge of the threats and so demonstrate that your business is meeting its obligations to build a proper data protection culture in your organisation and protect the business from the operational costs of a cyber security breach as well as avoid any reputational damage. Like so many situations data is key and basis of good compliance reporting.

How the right metrics and reporting make all the difference.

These assessments can and should be backed up by simulated campaigns to further understand if people are applying the learning in real life and outside a formal training or exam environment.

For example we know the threat of email phishing is increasingly on the rise and research has shown that it is a greater direct threat than data breaches (Google & UC Berkley, 2017). So, by hosting an initial phishing simulation to establish your own internal benchmark on how phish prone your staff are, you can focus in on this specific area to further combine testing with training campaigns to create a cyber risk-aware staff. The true measure of success is a declining click rate on simulated phishing eMails, and this combined with your assessment results gives you an accurate picture of the risk in your business.

It is a continuous business though; Phishing simulation campaigns should be scheduled to run to different groups using different templates at different and unexpected times or in burst mode to avoid employee’s tipping each other off to the fact that a simulated campaign is ongoing. This way you continue to track the figures weekly and monthly and you can see how your staff are progressing on their journey to becoming a true human firewall for the business. The benefit of deploying a security awareness training platform is that this approach can be automated and scheduled without the need for human trainers every step of the way.

What else can you do with the data?

Let's say 20% of the workforce failed the test and responded to the fake phishing emails in a compromising way. This is where our phishing benchmark reporting solutions come in. By combining your data with the data from many other companies, we can give you hard numbers comparing your risk and compliance reporting against industry averages. As it turns out, 20% would be pretty good - we typically see anywhere between 30%-70% of a workforce fail their first phishing test.

Of course, those numbers could still be far better. After all, you only need one employee falling for a real-life phishing attack to see massive damage.

Training is Necessary

After successfully implementing improved training initiatives, a good Security Awareness platform continues to be useful for benchmarking your progress. Response rates for future tests can be compared against industry averages as well, continuing to chart your progress towards being a truly security-aware company - and increasing the odds that it'll be your competition who falls prey to phishing attacks. Think about it like the burglar walking down the street and only choosing houses without a visible burglar alarm to burgle.

Compliance Reporting

Part of the rationale behind new data protection initiatives like GDPR is to ensure that companies are developing within their organisations a proper data protection culture. Companies are also required to demonstrate that they have taken their responsibilities seriously in this regard and worked to ensure all reasonable steps have been taken to reduce the risks of data loss. That is where your regular testing and reporting on how your workforce responds to phishing eMails is important.

Remember too that phishing testing is only a first step in developing a strong security culture at the organizational level. Beyond improving phishing susceptibility, the practice will allow you to establish clear reporting and escalation processes, and bring security threats and solutions into the consciousness of employees.

Therefore, you will be able to document the typical response of your employees, and their synergistic progress; something which should let Business leaders sleep better at night.

We founded Cyber Risk Aware to help you help create smarter, more security-aware employees - and that includes helping you justify the training needed to make that happen. To learn more, contact us directly to request a free trial or demo!

Topics: Staff Awareness, GDPR, Phishing Simulation, security awareness training

Julie Lhanang

Written by Julie Lhanang