In one of our recent blog articles, ‘Are your cyber ‘unaware’ employees your organisation’s most significant threat?’, we openly discussed how most data breaches are the result of human error or other human elements, not from being ‘hacked.’
According to a recent Verizon investigation, 82% of data breaches are directly attributed to human error, with other global reports citing this figure as high as 95%. Unlike annual Health and Safety training, which is considered ‘static’, cyber threats are considered ‘fluid’ due to the evolving tactics, techniques, and procedures (TTPs) being developed by the threat actors.
In Australia, we’re witnessing threat actors (criminals or malicious individuals) increasingly targeting the users of your systems, applications, and devices. That’s why it’s vital to equip them with the knowledge they need to not only identify threats but also to understand “what to do” when a threat is encountered. Providing strong cyber security awareness training is essential in protecting your organisation from potential harm.
Establishing an effective and measurable cyber awareness program, of which Cyber Security Awareness Training (CSAT) is but one component, is essential towards mitigating your organisation’s exposure to potential cyber risk.
Components of an Effective Cyber Security Awareness Program
A successful cyber security awareness program requires the following:
- Executive sponsorship and participation
- Organisation-wide adoption
- Delivery of content via a consumable and engaging process
- Measurable success criteria
Without these strategic elements, efforts to introduce an effective cyber security awareness program in your organisation are unlikely to be successful. The effectiveness of your training program is largely dependent on both how engaged your employees are and ensuring that everyone from the top-down is trained, whether they be full-time or part-time employees or contractors.
For example, the AICD’s Cyber Security Governance Principles advise regular, engaging and relevant training as a critical tool to promote a cyber-resilient culture, including specific training for directors. AICD notes that it is a ‘red flag’ if the board and executives do not undertake cyber security education nor participate in testing.
To ensure strong adoption and participation, training needs to be both interactive and convenient for all employees to access and complete. Understanding the needs of all your employees and ensuring the training is accessible is very important. For example, for those that have English as a second language, providing different language options or subtitles is considered helpful.
The Australian Securities and Investments Commission (ASIC) strongly recommends that businesses develop structured, measurable, organisation-wide training programs and strategies for all staff, contractors, and partners. These programs must enable the business to effectively manage and monitor staff progress, with a particular focus on staff susceptibility and success criteria.
Tailored Training with Engaging Content for Maximum Impact
Before you can deliver a successful program, it is essential to identify your organisation’s knowledge gaps. Conducting a pre-training assessment allows you to gain insight into the current level of your staff’s understanding and, thus, the potential cyber security risks facing your organisation.
Effective cyber security awareness training should be tailored to the specific business risks faced by the organisation. This means understanding the types of data and assets that are critical to the business and ensuring that the training addresses the potential impact of a cyberattack on these assets. By focusing on the business impact of cyber threats, executives and company owners are more likely to prioritise cyber security within the organisation.
Once the organisational context and learning gaps have been identified, an effective training plan can be tailored specifically to your organisation’s needs.
Testing & Simulations
In addition to assessing baseline cyber security proficiency, using quizzes is a simple and effective way to measure whether participants have understood the essential concepts covered in the ongoing training program.
To ascertain whether the training is effective and genuinely changing employee behaviour, we recommend running phishing simulation campaigns using emails that mimic realistic and current threats. We have found this to be an incredibly successful way to evaluate the training’s effectiveness and uncover potential weaknesses in how employees will respond to similar threats in a real-life scenario. This also allows organisations to further identify areas of vulnerability within their workforce and to take remedial action before it is too late.
Phishing Reporting & Remediation
According to the Verizon 2022 Data Breach Investigations Report, the human element continues to drive breaches. 82% of breaches involved the human element. Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches, emphasising the importance of a robust security awareness program.
CAT customers who elect to integrate their cyber awareness training with our phishing detection and response capabilities dramatically increase their resilience. Under the Phishing Remediation service, when a staff member identifies a phishing email, they simply report it via a “Phish Alert” button in Outlook or Gmail. If it’s a simulation, they receive instant confirmation and feedback when they report it. If a staff member fails to identify a phishing simulation email and clicks on a link within one, they are then enrolled in remedial training.
If the reported phishing email is not a simulation, it is immediately reported to CAT’s Cyber Security Operations Centre (CSOC). This reduces the workload for the client’s IT team, as communications and tickets regarding phishing drop to zero. Staff are empowered to handle these directly within their mailbox without the need to report or discuss it with IT or management. This improves productivity and efficiency by reducing the time staff spend discussing and reviewing phishing emails.
The reported phishing emails are reviewed by CAT’s CSOC team. If any harmful content is detected, the team works to eliminate the threat from mailboxes within the organisation. This helps in reducing the risk to the organisation.
IT or management need only be involved if further investigation or response handling is required, allowing the organisation to focus on core business activities.
Measurement & Reporting
It’s essential to have a way to measure the effectiveness of your cyber security awareness program. This could be through regular testing or tracking metrics such as the number of incidents or completed training statistics. Measuring your organisation’s training outcomes enables you to identify areas for improvement and ensure that you are achieving your goals.
Measuring success is essential for any initiative, and your cyber security awareness program is no exception whether you do it yourself or choose to outsource to a specialist provider like CAT.
Comprehensive & Refreshed Curriculum
Unlike annual Health and Safety training, which is considered ‘static’, cyber threats are considered ‘fluid’ due to the evolving tactics, techniques, and procedures (TTPs) being developed by the threat actors. With the ever-changing cyber landscape, where scams and attack methods are constantly evolving, your training curriculum must be updated and reinforced on a regular basis.
While content will evolve to meet the changing environment, a comprehensive curriculum should essentially cover the following:
- A clear explanation of possible threats (phishing scams, social engineering, risky internal practices, malware, ransomware, etc.), threat actors, and how to identify them.
- Real-life examples and scenarios to demonstrate the risks associated with not having secure processes and practices in place.
- What to do should the employee encounter a threat or witness suspicious behaviour.
- Best practices for keeping systems and devices secure.
Conclusion
An effective Cyber Security Awareness Training program needs to form part of your organisation’s DNA, built on a comprehensive curriculum tailored towards the specific requirements of your business and industry. It should be inclusive and easy to access and have the capability to measure user participation and skill competency.
Furthermore, it should provide simulations based on real-world examples to test real-life behaviours, identifying any gaps, with regular updates. It should receive executive sponsorship and support, filtering throughout the organisation to all employees, focusing on staff susceptibility and success criteria.
Cyber Audit Team (CAT) has significant experience developing bespoke Cyber Security Awareness Training programs for our customers. If you would like to discuss your organisation’s cyber security training requirements, please contact us today.
