Social engineering remains the top way criminals infiltrate an organization’s data, and the problem gets worse every year. Last year, as many as 90% of all breaches were the result of successful phishing. And 65% of those were from targeted spear phishing (where the bad guy targets a specific person, masquerading as a trusted sender.) Despite your toughest policies and most effective email filters, some socially engineered messages will get through to your staff. This is why the only way to prevent catastrophe is through effective security awareness training.
The four factors
Here’s what the experts tell us will make your training the most effective:
As with most aspects of an organization’s culture, security awareness – with acknowledgement of its importance – starts at the top. If your CEO/President/Director presents an attitude that cybersecurity is a critical element to the company’s success, staff will take notice. And it’s not just about culture and attitude; they will need training as much as anyone else in the organization. If you’ve never heard of “whaling” before, this is a form of spear phishing aimed at c-level employees. The criminal’s aim with whaling is to gain top-level access to the organization’s most sensitive data. This type of phishing clearly poses the highest threat level.
All new staff should get extensive, comprehensive security awareness training during their onboarding. And every staff member – again, top to bottom – should be part of annual re-training. Cybercriminals are always changing tactics and finding new ways to “get one over” on us, so it’s important to stay on top of these tactics and incorporate them into the annual re-training.
Frequent refreshers/reminders and phishing checks
According to Stu Sjouwerman, founder and CEO of KnowBe4, “There is not a significant decrease in risk until training is done at least once a quarter, and there are further significant drops in risk as training and simulated phishing tests are done at least once a month.” This refresher training doesn’t need to be as comprehensive as the onboarding and annual training. It should simply serve as reminders of what to do and what not to do. You can also supplement training with periodical cybersecurity awareness emails, handouts and posters hung in areas frequented by staff. And simulated phishing tests are an excellent way to gage where “everyone is at” in terms of awareness, so training adjustments can be made.
Vary the way training is conducted
People learn in diverse ways. What works well for one employee may not work well for another. Some retain the most knowledge by watching videos. Others by reading. Some by attending interactive classes. And many retain knowledge best when training is made fun with gameplay. Your best advice: Mix it up. By varying the way in which you conduct training, not only are you going to accommodate different learning styles, but also keep things interesting for everyone.
In the end your staff, at every level, need to have the training to know how to
- Recognize the threat: Know what the various signs of social engineering look like, and be thorough in actually looking for them before responding
- Mitigate the threat: What to do – or really, what not do – if they suspect foul play
- Report: Who they need to so that these threats can be further mitigated by your IT department
If your training is thorough, conducted regularly and your organization maintains a persistent, positive culture of cybersecurity awareness, you should be in fairly decent shape.