A company’s staff is the greatest untapped resource in the fight against cybercrime. Although research has shown that in 90% of successful cyber-attacks or more, there is an element of human fallibility involved, what those studies fail to mention is that a trained and vigilant staff could become the greatest barrier of defence against attack types: such as trojans, viruses, ransomware, and other electronic security threats.
You almost certainly already deploy some technical security measures in your own network defence setup. Nonetheless, technical scans, firewalls, and automated monitoring will never replace a well-trained eye. In our view, these solutions overlook the TRUE key to strong security: A company's own workforce.
A workforce which is truly cyber
The challenge, which our CEO discovered while working as a CISO in the industry, is this: how do you document the relative level of human security risk in a company, and turn that documentation into a strong argument for further investment into human security solutions? The answer, he discovered, lay in good risk and compliance reporting backed up by benchmarking.
Getting from Talk to Action.
Articles 39 and 47 of the GDPR requires that you provide ‘awareness raising’ and ‘training’ to your staff. That also means that going forward you may need to be able to demonstrate this.
Running security awareness assessments is the best way to document both the size of the risk to your business but also the progress you have made in raising awareness through training. Now you have hard evidence of how aware your staff are when it comes to either security risks or your policies on how to avoid those risks. With that
There are many platforms available to create tests or surveys or assessments but the advantage of using a Security Awareness Platform to do this these include
- - Relevant Security Content required to build out the assessments to select from
- - Content regularly updated to reflect the changing nature and sophistication of threats.
- - Different assessments can be delivered to different departments depending on
- - Results can be used to target remedial training to those users who fail the assessment
This ability to deliver specific training to only those users who require it based on the results of assessments has two significant benefits
- - It lowers the cost of delivering training due to its specific targeting of those who require it
- - It improves the effectiveness of the programme because employees understand why they need to improve their knowledge.
Assessments need to be run pre and
How the right metrics and reporting make all the difference.
These assessments can and should be backed up by simulated campaigns to further understand if people are applying the learning in real life and outside a formal training or exam environment.
It is a continuous business though; Phishing simulation campaigns should be scheduled to run to different groups using different templates at different and unexpected times or in burst mode to avoid employee’s tipping each other off to the fact that a simulated campaign is ongoing. This way you continue to track the figures weekly and monthly and you can see how your staff are progressing on their journey to becoming a true human firewall for the business. The benefit of deploying a security awareness training platform is that this approach can be automated and scheduled without the need for human trainers every step of the way.
What else can you do with the data?
Let's say 20% of the workforce failed the test and responded to the fake phishing emails in a compromising way. This is where our phishing benchmark reporting solutions come in. By combining your data with the data from many other companies, we can give you hard numbers comparing your risk and compliance reporting against industry averages. As it turns out, 20% would be pretty good - we typically see anywhere between 30%-70% of a workforce fail their first phishing test.
Of course, those numbers could still be far better. After all, you only need one employee falling for a real-life phishing attack to see
Training is Necessary
After successfully implementing improved training initiatives, a good Security Awareness platform continues to be
Part of the rationale behind new data protection initiatives like GDPR is to ensure that companies are developing within their organisations a proper data protection culture. Companies are also required to demonstrate that they have taken their responsibilities seriously in this regard and worked to ensure all reasonable steps have been taken to reduce the risks of data loss. That is where your regular testing and reporting on how your workforce responds to phishing
Remember too that phishing testing is only a first step in developing a strong security culture at the organizational level. Beyond improving phishing susceptibility, the practice will allow you to establish clear reporting and escalation processes, and bring security threats and solutions into the consciousness of employees.
Therefore, you will be able to document the typical response of your employees, and their synergistic progress; something which should let Business leaders sleep better at night.
We founded Cyber Risk Aware to help you help create smarter, more security-aware employees - and that includes helping you justify the training needed to make that happen. To learn more, contact us directly to request a free trial or demo!