Convincing HR that new-school security awareness training is an important part of an organisation’s culture to keep company assets safe from security breaches
It’s a dangerous world out there. Security breaches are rampant, with skilled cybercriminals stealing personal data and crippling brand reputations. The WannaCry ransomware attack is the latest example in a long line of cyber attacks that are making boards nervous across the business landscape.
Organisations know they need to invest in security. Yet many don’t realise that security goes beyond the right technology products. People have always played a pivotal role in security, so much so that many IT teams refer to employees as the “weak link” of cybercrime. Even the benefits of a best-of-breed approach to security can be undone by one employee who falls for a social engineering attack like a phishing scam. That one incident can throw the company into chaos, from a ransomware nightmare to a massive data theft that exposes both employees and customers.
Most companies view this as strictly an IT responsibility. Yet any issue that involves people at its heart is often an HR issue as well – especially when it comes to training programs.
Security awareness training that is effective in protecting against current risks can make all the difference. True, security policies and procedures are important, but employees need to be trained to follow them or they won’t mean anything. Training is especially urgent considering the growing sophistication of organised cybercrime. Spoofed email addresses can convincingly resemble a request from a CEO. As CEO fraud has been cited as a $5.3 billion dollar business, it’s clear that busy employees are unwittingly falling for a phishing scams. It takes a new-school awareness training program to boost awareness of these clever tactics, which is probably why 88 percent of respondents in a recent KnowBe4 survey rated security awareness training as the most effective protection from ransomware.
Memorable Training, Stronger Teams
It’s said there are three ways to learn something new: read about it, observe someone else doing it or make a mistake. Current security training often taps the last dynamic. Since many old-school compliance-drive programs have proven to be ineffective, modern awareness training programs often simulate phishing attacks on employee populations to see the percentage of people who click. It’s a more memorable and personal lesson, one that helps employees realise their own gullibility and overcome it.
Thousands of IT teams find these methods to be highly effective. Yet just as many HR and legal teams have hesitated to implement such programs. They often worry that because the training involves an element of disguise, it conflicts with the positive culture they’re trying to build. They feel that some employees might feel embarrassed after clicking on a bad link in an email created by their own company.
But is it embarrassing? Normally, after employees fall for a simulated attack they will see something like a screen saying “OOPS, YOU FELL FOR A PHISHING ATTACK.” Often at that moment they realise that the training is protecting them from the actual pain of a real-world attack with potentially disastrous consequences for their personal identity and their company data. In fact, many employees give positive feedback when they are shown examples of criminal cunning, such as spoofed domains, fake PayPal notices and documents infected with malware. It’s not uncommon that after the training they ask how they can share the information they have learned about with their family and friends. Security isn’t just a business concern; most users are concerned with protecting their personal identity and assets, as well.
The uncomfortable truth is that real-life malicious actors do resort to trickery and deceit. HR teams may hesitate to employ this kind of training, but in failing to prepare their employees, they may be making the organisation more vulnerable than ever. And often those same organisations that initially reject training end up requesting it later anyhow, after an attack. That’s unfortunate, because at that point, the criminals have unleashed the ultimate training at a very high price – and any employee involved in the real data breach may feel guilty.
Multiple Layers of Protection
While it’s advisable for HR to proactively drive an initiative for security awareness training, there’s also this consideration: companies are legally required to provide reasonable protection against this type of threat for their employees. In that light, new-school awareness training is a requirement to prevent lawsuits as well.
Consider Seagate, a company recently sued by its own employees after a successful online phishing scam. The personal information of 10,000 existing and former employees were stolen by criminals and used to file fraudulent tax returns. How did the breach happen? An employee in HR fell for a social engineering technique that convinced them to send all of the information to criminals. The employees sued on the grounds that the company did not adequately protect their information.
Ultimately any organisation’s security strength and culture can be evaluated by where they fall on the training scale. One that worries about any embarrassment associated with training may be setting itself up for something much worse. But an organisation that trains its employees with modern methods has prioritised safety and data protection – and the well-being of its workforce.
When IT and HR work together and foster a cooperative approach to security awareness and phishing training it goes a long way in demonstrating the value of education to staff. As the first line of corporate defence, enlightening employees about the cyber threats that exist is important in helping them make better, safer security decisions both at work and in their personal lives.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.