Cybersecurity awareness is different from other types of cybersecurity. In cybersecurity there is certainly awareness and training, but technology and policies are also in place to help manage risks, assist in prevention, and detect anomalies. However, the common and often easy initial access vector remains users who have access to internal systems and external systems. An email-enabled user is and will remain the launch pad of attacks for years to come. The common solution to this issue is to provide end user training.
However, training alone is simply not sufficient. Like other aspects of cybersecurity, controls must be in place to assist users in making good decisions and prevent them from making obvious mistakes that could allow system compromises. And more importantly, it’s important to take the roles of the users into account when establishing controls. There are users whose role might require them to conduct poor cybersecurity hygiene activities in their daily tasks. For example, the accounts payable team is accustomed to opening attachments from vendors. Other roles, such as marketing, human resources, and sales have similar demands. The way we think about cybersecurity and interact with it must be more than just cybersecurity awareness initiatives.
Best cybersecurity awareness practices to implement in an organization
The first thing that many organizations do is to start blaming employees if they fall victim to a phishing attack or social engineering ploy. This is the wrong approach — it creates a culture of fear that actually increases risk. For example, if you work in a company where the CEO is erratic and makes unusual demands, many social engineering attacks will look like the kind of behavior the employees have come to expect. These employees are less likely to question an attacker’s behavior because to them, it looks like behavior they expect.
Instead, you need to approach cybersecurity awareness training by making sure that your employees feel confident that they’ll be supported and educated, not blamed if they make a misstep. If your staff feels comfortable questioning the IT or security team, they’ll be better equipped to make good decisions. They should never worry that they will get in trouble if they have a false positive and reject an email or call because they think it might be a social engineering attempt. That’s what you want them to do, and so that behavior needs to be encouraged.
Training is important, but it should not be punitive. Cybersecurity awareness training is when you are educating your employees to make good security decisions, not simply to be able to identify a predictable phishing attempt. Good training programs should happen regularly, but they shouldn’t take hours to complete — they should be short sessions with clear takeaways. You should also give employees an opportunity to learn. For example, if you use a testing program with a phishing attack and someone falls victim to the attempt, don't name and shame them. Instead, the training can include a follow-up email letting them know what happened (and where they went wrong) and what to look for in the future. The goal is to continuously educate and remind your employees about what to look for and why — that’s cybersecurity awareness, not demeaning employees who fail.
How often should you conduct cybersecurity training?
Security is part of our company culture at Mitiga, and we regularly engage each other when we notice things that looks off, such as phishing emails. We work to not only share our expertise with clients but also internally on an informal basis, sharing what we’ve seen in engagements with folks who are not directly connected to the incident response process.
We supplement this security-first mindset by doing rigorous routine trainings as required by industry standards. Training is informal and frequent, with random segments of the business being tested continually. Periodic testing and training leads to security becoming an afterthought for most employees — something they only think about during regular training sessions. Integrating reminders, reports, and discussions about security and phishing into weekly team meetings is a great example of empowering employees and making them more cybersecurity aware.
Cybersecurity awareness is about tools, controls, and culture
There are a lot of great tools available for cybersecurity awareness. KnowBe4, ESET, Phished, and Cofense are a just few of the many good options available for security awareness training. And if your cloud security is dependent on employee awareness, you’re doing something wrong. For example, zero-trust models help you control access so that employees only have access to the resources they need, using many technical controls to manage identities and access appropriately.
You shouldn’t just be telling your employees not to click on files. That’s good to know, of course — but give them technical controls to back up their training and awareness as well. For example, if they try to install a file, make sure that there’s a prompt to confirm that it’s really what they want to do — simple interrupts like this will help them think through an action before going through with it. A prompt that suggests a check-in with IT or security if they have a question or concern about an action will also help. There are many tools that block suspicious emails, and when implemented well, they will also give employees a moment and an opportunity to confirm whether they really want to open that email or not.
The most valuable tool, though, is anything that enables feedback from employees to cybersecurity staff. Getting people into the routine of reporting suspicious stuff, however minor, is the ultimate goal of any of these programs. When you select your tools, you need to ask yourself what your goals are for training and how you are equipping your employees to make these goals easier to achieve.
Cybersecurity awareness is an interesting challenge. For most security considerations, needs scale linearly with the size of the organization. However, employee awareness needs scales exponentially. This is of particular concern with rapidly growing startups. When you grow past the point where you know every employee, social engineering becomes quite simple for bad actors, so the more you implement the appropriate tools and controls, backed by a culture that encourages employees to ask questions and consider the possibility of malicious actors, the more robust your security program will be.