Cyber Security Awareness Month presents us with the opportunity to catch up on security trends, gauge our security posture, and assess what gaps and exposure may exist. Do we have blind spots? Or are we overlooking assets readily available to us?
We all know spam filters do not catch 100% of spam, and 1.5% of spam contains malicious links. So when you have one in five employees clicking on phishing emails, you are at risk. This is not news, right? We all know there is no magic bullet for cyber security, and the best that we can hope for is a strong defense.
When planning the best defense, we often overlook that the best defensive line is right in front of our faces – our employees. We often think of them as our liability because no matter how many technology controls we put in place, we know statistically that 1 in 5 of them is going to click on a phish. This week's #CyberAware focus will highlight how, with proper training – and we’ll talk about what ‘proper’ is – you can condition your employees to not just avoid falling for phishing emails, but to actively report phishing attacks to your security team. You can make your employees part of your defense.
Common, annual security awareness training is not going to cut it. It may check the box on your compliance mandates, but it is not enough to change employee behavior or turn them into a defensive force for your network. Successful employee defense training looks something like this:
- A continuous program that includes phishing simulations and point-of-failure training to effectively influence behavioral changes
- Increase in employee reporting of suspicious emails to security teams
- Decrease in phishing attacks due to employee vigilance
- Increased intelligence gathered from the reported attacks
- Measured progress and program adjustments based on the intel gathered
And since now is the time of year when budgets for 2017 are being developed, it’s a perfect time to build a business case for truly effective security awareness training. Follow that link in the last sentence over to a handy guide to the components you need to build your business case.
While it may seem straightforward, training employees to spot phishing attacks is not quick or easy. Done poorly, phishing awareness training can be counterproductive and leave your organization more vulnerable instead of more secure. There is definitely a right way to do it, and a wrong way to do it.
Done correctly, with your employees conditioned to report potential threats, you will have the visibility you need to detect those attacks that make it into user inboxes. And that gives you the opportunity to prevent an adversary from moving deeper into your network.
Ultimately, the goal of any truly effective security awareness training program is one that puts your employees on offense, recognizing and reporting potential threats. For further education on this topic, check out this recorded webinar we did a few months back on how to Turn Your Employees into Security MVPs, and give us a call if you have any questions!
There's more to come this week on security awareness training; sign up for our blog and receive alerts on our Security Awareness Month series. We will also enter you for a chance to win a #PhishRage t-shirt.