Reducing cybersecurity risks with strong awareness reporting
Although cybersecurity has always been a top concern for business executives, the rapid and dramatic shift to a remote and flexible work environment has put this form of risk at the forefront of their minds.
Regardless of industry or location, nearly half of all executives surveyed in a recent MetricStream report noted that cybersecurity was their top business risk.
At the same time, a look at the top passwords in use, which all involve a series of sequential numbers or keystrokes — showcases just how significant the divide is between principle and practice.
Unfortunately, lax and insecure passwords are often the tip of the iceberg to understand the role and importance of cybersecurity awareness training. This program should enforce good password hygiene and provide and encourage safe browsing, email, mobile, and other security best practices.
So whether your organization is just beginning to establish its cybersecurity awareness program or if you're looking to take it to the next level, here are some key things your training may be missing.
Phishing simulations & training
Measuring the impact of a cybersecurity awareness program
According to the most recent Verizon Data Breach Investigations Report, about 22 percent of security incidents in 2021 can be traced back to human error from employees inside of an organization. This number has stayed roughly the same since 2018. Unfortunately, trends from most of this same period showed that organizational budgets for security awareness training were actually steadily increasing, growing from about $137 per employee in 2018 to $203, according to Mimecast.
So how can the number of human-enabled attacks stay the same even as spending for security awareness training continues to increase? One answer could be that organizations could just decide to spend more even if they are not getting the proverbial awareness bang for their security buck.
As with many other aspects of evaluating the return on investment of a strong cybersecurity program, evaluating the role and benefits of cybersecurity awareness can be difficult. While some organizations attempt to measure the number of threats blocked by existing security controls, phishing messages are scanned and deleted. The open rate of phishing-awareness campaigns in today's high-risk environments — matched by high scrutiny of security budgets — isn't enough.
This challenge is one that Infosec's Jordan Filip, Client Success team Lead, and Kevin Angeley, Senior Sales Engineer, have been working hard to help organizations overcome, which the two discussed in a recent Infosec Inspire Session.
"We've realized that what customers need and should expect from their security awareness training program is the same level of enterprise-grade reporting that helps drive other parts of their business," notes Angeley. "Since we've been collecting information and working with our customers to create and identify key performance indicators in their account, we've learned that success goes beyond the phishing rate you see on your dashboard."
Other indicators of the strength of your security culture
Most organizations with security awareness programs are familiar with some of the more common phishing-related metrics, such as the report rate and the time to report. Many others also have methods to measure the impact of security awareness programs among their employees, such as collecting feedback from courses or surveys.
However, with IBM reporting the average cost of a data breach is at an all-time high of $4.24 million, Angeley and Filip wanted to help organizations go beyond these metrics and use additional data analysis tools and key performance indicators to spot trends and measure success.
While there are several dimensions to these metrics, Angeley and Filip believe that they all boil down to identifying ways to measure and increase engagement to mitigate security risk.
"This is an important correlation because engaged learners learn more effectively, retain more, and are less likely to fall victim to a security attack," emphasizes Angeley.
Comprehensively measuring security awareness
Angeley and Filip help organizations take advantage of Infosec's Security Cultural Surveys, which measure the performance of security awareness programs with questions that tie back to five different domains. Able to be completed once a year or biannually, the five domains that Infosec's Security Culture Survey covers include:
Confidence: How learners feel about putting their security knowledge to practical use. These questions are a great way to identify the maturity of a security awareness program over time.
- Sample Question: How confident are you that you would know what to do if you witnessed a cybersecurity incident?
Responsibility: How well learners understand their role in implementing their organization's cybersecurity program.
- Sample questions can cover specific policies and procedures expected for employees in a specific functional role (i.e., human resources professionals keeping data private)
Engagement: The number of employees completing the required cybersecurity awareness training on time and how relevant the program is to their role in the organization.
- Sample Question: How relevant is the cybersecurity training you receive at work to your life and activities outside of work?
Trust: How employees perceive IT and security in their organization and their perception of the strength of their existing security program.
- Sample Question: How comfortable are you reaching out to your IT or security team for assistance?
Outcomes: How well do employees understand the impact of a security incident on the health or reputation of their organization.
- Sample Question: How seriously do you think a cybersecurity issue would be taken if you reported one at your workplace?
How to take your cybersecurity awareness program to the next level
There is more to a strong cybersecurity awareness program than just phishing training, regular training, and at least an annual survey.
So what are some of the recommendations that Angeley and Filip have for organizations to bolster their overall security programs?
- Identify champions from across the functional areas within your organization that can act as an extension of your security team and help communicate across groups.
- Focus on building trust in your organization's IT and security teams by resolving issues that result in workarounds, highlighting successes, and recognizing staff that demonstrates your program's values.
- Find ways to keep security training new and relevant, including updated statistics case studies and gamifying the training to encourage healthy competition.
- Refine training topics and regular communications based on organizational events or based on overall behavioral trends .
- Engage managers and executives in helping to promote and encourage involvement in the security program.
- Develop key performance indicators and a regular reporting mechanism to track the security program's metrics over time.
- Partner with other functional experts within your organization, such as the training and learning professionals within the Human Resource department.
- Establish a consistent schedule to promote and highlight your security program, even utilizing a tool to automate the process and communications.
Phishing simulations & training
Bringing it all together
While there is broad agreement across organizations about the value and importance of cybersecurity, especially the role each employee plays, EY reported that only 29 percent of Fortune 100 companies utilize security awareness programs.
Your organization can be different.
Fortunately, you don't have to lay the groundwork for a strong, measurable, and agile security awareness program on your own. Experts like Angeley and Filip, believe that taking a people-first approach and utilizing trusted and refined tools like the Infosec IQ Cybersecurity Culture Survey can help your organization be better prepared for the threats of tomorrow.
Sources
- Cybersecurity is Greatest Post-Pandemic Concern in 2021, According to MetricStream Risk Management Survey, PRNewswire
- 2021 Data Breach Investigations Report, Verizon
- Employee Negligence Remains the Biggest Threat in Data Breaches, Bitdefender
- The ROI of Security Awareness Training, Mimicast and Osterman Research
- Cost of a Data Breach Report 2021, IBM and the Ponemon Institute
- What companies are disclosing about cybersecurity risk and oversight, EY
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- Reducing cybersecurity risks with strong awareness reporting
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization