IT Leaders: Don’t Overlook Security Awareness Training for Employees

Ask any industry leader about the state of cybersecurity resilience, and they’ll likely tell you, “it’s complicated.” Accenture’s 2020Opens a new window report shares just how complex it is to protect an organization against cyberthreats – take a look at the following insights: 

• There is a massive gap between industry leaders (17%) and non-leaders (74%). 85% of the former feel actively protected compared to just 55% of the latter. 

• 44% of non-leaders had 500,000+ customer data records exposed in the last year, and for 97%, every breach lasted over a day. The fiscal import of this is immense. 

• The number of direct attacks is down by 11% – but 40% of security breaches are indirect or ”hidden” in nature. To protect against them, companies face unsustainable costs (1 in 4 companies have had to up their budgets by over 25%). 

• 30% of leaders provide training for more than three-quarters of users, compared to just 9% of non-leaders. Most non-leaders train less than half of their user base.

Training has emerged as a critical and cost-efficient lever for cybersecurity at a time when threats are rapidly evolving, and budgets cannot keep pace with demand. That’s why cybersecurity is among the three training programs IT service providers like Infosys will prioritize for the Class of 2020, Srikantan Moorthy (global head and EVP of education, training, and assessments at Infosys) told Toolbox. 

Gaps in employee training could have massive implications in the long term, as several companies have found the hard way. 

Learn More: Why IT Leaders Should Forget the Old Ways of Doing Cybersecurity

Employers Aren’t Sufficiently Focused on Training for Cybersecurity Resilience 

Recent reports suggest that, while leaders might be progressing on the resilience and maturity curve, some are falling far behind. Companies now face growing digital exposure because of three reasons: 

1. Cloud migration: Moving enterprise assets to a shared hosting environment causes new vulnerabilities. 
2. Low-touch economy: Customers want service providers to be present on every channel, but this means a greater risk of data exposure. 
3. Remote working: WFH users must be aware of how their online activities introduce weaknesses to an enterprise’s security posture. 

“Due to the rapid shift from on-premise to remote operations, cloud usage has spiked, and the workforce has increasingly become users of SaaS-based services. This has created new pain points for CISOs – like visibility and protection of the user of the systems, whether that is by way of awareness training and education or by modeling their behaviors,” LogRhythm’s CSO & VP James Carder told Toolbox. 

Companies that haven’t taken proactive steps face unprecedented penalties. Here are two incidents that illustrate how external attacks and internal leaks from within can cost organizations millions of dollars.  

Learn More: 3 Steps to Secure Digital Platforms Before They Get Hacked

1. Capital One fined $80 million for 2019 data breach

One of America’s largest banks witnessed a severe hack last year when a contractual employee breached the company’s databases to access confidential databases. 

Capital One had misconfigured the settingsOpens a new window , and this made millions of customer data records – names, addresses, insurance numbers, credit scores, etc. – vulnerable to attacks. Capital One was unable to detect the breach until the threat actor posted the details of the attack on GitHub.  An anonymous visitor noticed it and reported it to the authorities. 

Not surprisingly, Capital One was accused of negligence and must submit a full cybersecurity plan apart from the million-dollar fine. The plan mandates new security controls, a  clear definition of cybersecurity roles, and adequate training so that no breach of this scale goes unnoticed. 

2. First American faces alleged violations against NY’s financial services cybersecurity regulations 

New York’s first-of-its-kind cybersecurity regulation went into effect in 2017, requiring financial services providers to establish and maintain a detailed cybersecurity program. It appears that First American Title Insurance Company Opens a new window could have violated this law’s six provisions – including the failure to provide adequate security training for cybersecurity employees. 

The NYDFS alleges that every instance of non-public information breach constitutes a separate violation, and First American would have exposed nearly 885 million such files.  One violation could cost the company up to $1000 in penalties. 

The vulnerability was entirely preventable, as it entered the system during a May 2014 routine software update. Like Capital One, it went undetected for years, making customers’ sensitive personal information available on the public web. It was an independent cybersecurity journalist who reported the leak last year. 

Industry-Specific Cybersecurity Training Is Lacking

Examples like the above illustrate the heavy price of low awareness and improper training – including a dent to brand reputation, business interruptions, and loss of customer trust. IT leaders need to double down on providing requisite cyber education on looming  cyberattacks to employees. 

But there’s a lot of ground to cover. 

Healthcare, like financial services, deals with huge volumes of customer data – which is why it is so crucial for every organization to rank among cybersecurity leaders. 

Learn More: 6 Ways Security Tools Consolidation Helps You ‘Do More With Less’

Get Proactive About Building Cyber Security Skills

Employee training in cybersecurity covers a wide spectrum – from basic, end-user awareness to best practices training for team leaders to specialized, technical upskilling for your dedicated cybersecurity team. And each is equally important in today’s complex digital landscape. 

Unfortunately, existing approaches to training are often reactive – looking to find an answer to a past incident, without running proper diagnostics. 

Arun Vishwanath, Associate Professor at the University at Buffalo and faculty associate at Harvard University’s Berkman Klein Center compares this to getting prescribed by a doctor without a personalized checkup and treating the patient repeatedly until they are cured. “That doesn’t work,” he saidOpens a new window . “What my research team and I have developed is a risk assessment methodology that works with existing penetration testing mechanisms. We have a short, 40-question framework that every person fills out, we do attacks, and assess your risk. Each person is given a score called the cyber risk index (CRI) between 0 and 100, which indicates their likelihood of falling for an attack.”

Automated Tools Can Help Build Risk-Aware Culture 

There are several tools out there to assist proactive models – and one of them is automated in-the-moment training. For example, Foxhunt has a useful phishing training and response platform that simulates attacks to teach employees the appropriate response mechanisms. 

This goes a long way in overcoming the forgetting curve, which is a major issue for any upskilling program. 

In-the-moment training also builds a culture of alertness and skepticism, which is always useful for grassroots cybersecurity awareness. As the recent Twitter hack of some of America’s most high-profile Twitter accounts suggests, there simply isn’t enough awareness around risk in the digital world.    

As employees continue to be the “weakest link” in enterprise cybersecurity, it is impossible to stay resilient without adequate training. On the upside, companies that do invest in building cybersecurity capabilities will be able to remain safe, compliant, and in-action for a longer time at lesser costs. 

Are you planning additional training sessions on cybersecurity this year? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!