According to an InfoScales report, 95% of successful cyberattacks have human error as the leading cause – most notably company employees falling for phishing scams. This is an important observation as cybersecurity efforts often intuitively focus largely on strengthening the technical controls in an organization to prevent data leakage, willful exfiltration and systems intrusion, for example.
The fact that human error, rather social engineering, is a major component leveraged by attackers in carrying out a successful breach signifies that employees’ careful attitude towards handling data and computer systems is prudent to ensuring the organization’s success with regards to security.
Here are the five ways in which your organization can realize the benefits of implementing a hands-on information security awareness program for non-technical and technical employees alike.
1. Deter phishing and vishing attacks by a massive amount
No matter how strong your organization’s security controls, firewalls and email endpoint scanners are, the efforts won’t go far if an unsuspecting employee clicks on a malicious link in an email and enters their credentials on a phishing page, effectively enabling an attacker to “hijack” the corporate systems with the same privileges as the employee’s. A hands-on program training employees to be able to distinguish legitimate emails and phone calls from suspicious ones, such as a call from the “CEO” asking for a highly sensitive payroll spreadsheet of all employees, can better equip employees to handle unexpected situations and requests to which they may otherwise fall prey out of hesitation.
Technical solutions offered by third parties exist, for example in the form of Microsoft Outlook integrated plugins which let employees report a suspicious looking email directly to the company’s “phishing mailbox” for review by internal security personnel. If done properly even by one vigilant employee, the 24/7 Security Operations Center (SOC) unit of an organization can immediately “pull” every such copy of the suspicious email from mailboxes of all other employees before they even get to it in the morning.
With a comprehensive hands-on training, the high probability of an employee reporting a phishing email greatly supersedes the risk of even one naïve employee falling for it.
2. Remain compliant with regards to information handling
When your employees are better equipped with knowledge to handle sensitive information, your organization naturally becomes more compliant with requirements commonly demanded by privacy legislation, such as HIPAA, GDPR and EU-centric laws such as those around “geo-blocking” – this one especially applies to software developers and information security professionals who may not realize how blocking traffic from certain regions to deter DDoS attacks can actually be in violation of the law.
Taking measures to educate your employees about different aspects of security can spontaneously foster a culture in which team members, for example, do not share sensitive information informally over IMs or other insecure channels, and where IT professionals design and manage systems ensuring no laws are being violated in doing so.
3. Strengthen physical perimeters security
Security is a multifaceted concept and as the saying goes, is “only as strong as the weakest link.” No matter the extensiveness, all digital forms of security measures are futile if a malicious actor is able to gain physical access to your servers and critical systems to fiddle with them.
While access controls exists, such as RFID-powered door locks and “no re-entry” emergency exits, social engineering remains a major unaddressed culprit here. It is not too difficult to imagine a scenario where an imposter who is standing right by an office building entrance simply follows a legitimate employee who is authorized to gain access to the building, a practice known as piggybacking or tailgating.
Sometimes a person may not be paying attention as to who is “tailgating” them, while other times it may be seen customary to “hold the door” for someone out of politeness, even for a stranger. And just how many times do legitimate employees genuinely forget to carry their ID badges with them? An imposter could easily make such an excuse to the person they are tailgating, if asked.
This seemingly harmless custom has the potential to have significant consequences. What if this imposter is able to then gain physical access to just one computer system and plug in a USB drive in an attempt to exfiltrate data? Or perhaps, the imposter is an investigator hired by a competitor to merely survey the workplace and take photos.
To prevent such scenarios, having strict company policies in place along with proper information assurance trainings ensure the message on how employees should handle “awkward” social situations is communicated throughout the company.
4. Minimize the risk arising from breaches and negative publicity
Educated and security aware employees are less likely to fall for social engineering attacks which would lead to a data breach. This alone extends to protection of valuable assets, minimizing the leak of intellectual property, and protecting brand reputation as a whole. Companies taking proactive measures to get ahead of malicious attackers lurking in cyberspace may also appeal to the investors and build increased trust with the general public. Conversely, the opposite is also true. Companies hacked recently have experienced their fair share of troubles attracting new clients.
5. Protect employee personal information
Given the news headlines are frequently about the customers who are affected negatively by security breaches, it is commonly assumed that the ‘personal information’ to be protected at any cost is that of the customers and business associates. This is not always true, however. As noted with the well-documented Sony data breach, it was the employee data which was compromised for which the company agreed paying up to $8 million in compensation. A mainstream “customer” of the studios buying film tickets was not directly impacted by the breach.
Despite being an unfortunate occurrence, cases like this help reinforcing a security mindset as they help demonstrating to your organization’s employees that following cybersecurity best practices benefits everyone including the employees themselves.
In conclusion, a cybersecurity awareness program for employees when designed properly as opposed to a mere “drill exercise” can benefit your company’s employees, culture, reputation and save a lot of hassle that may arise in future, with the growing number of threats and attacks in cyberspace.