By Edward Whittingham, Founder & Managing Director, The Defence Works.
I can answer the question in the title in one word: Very.
But of course, anyone with any sense should ask – OK, go on prove it then. So, I will try to too.
Let me leave this here before I go on to give some evidence about the importance of security awareness training.
In the first half of 2019, there were 4.1 billion data records breached. In the same period in 2018, there were around 3.5 billion exposed records. By anyone’s standards, that’s a lot. Not all were cybercriminals hacking into databases. Many were accidental exposures, lost laptops, inadvertent emails sent out, and so on.
The state of cybersecurity today is a mess. What is often true in life is that the simplest of ideas can be the most effective, enter stage left, security awareness training.
Where security touches employees, deeply
Security, back in the olden days, say in 1995, was something that was pushed over to a geek in the server room. The geek (I say that as a fellow geek) would sit, warming hands over a hot server while contemplating when to do an update that would cause most annoyance to the employees.
When the network reached out into the wider internet, things changed. Cybercriminals upped the ante and cyber-attacks for the masses began. Employees became a target. By then, we were all connected up via email and websites. This was when we all became security woke; this was when the awareness penny dropped into place.
In a recent report by Proofpoint, they point out that 99% of cyber-attacks need human intervention. What does this mean?
- Phishing: A human has to click a malicious link or download a malware-infected attachment for the attack to begin. This then leads to the loss of personal data or even the loss of login credentials that expose a whole database of data.
- Accidental exposure: A human has to accidentally leave a laptop on a train or send an email with personal details to the wrong person.
- Security negligence: Sharing passwords is more common than you might think. Around 19% of company passwords are easily compromised because they are either shared or weak. Reuse of passwords is another area of concern. A study showed that 52% of people reuse their passwords for multiple services.
- Misconfiguration: In 2018, 70 million of the exposed records were due to system admins not setting up cloud databases and servers correctly. Often, this is down to just not thinking with a security hat on.
Putting the security hat on with security awareness
To counterbalance all of the human touch points of the cybersecurity horror show, we have to turn to education. When I was a kid, I was taught how to cross the road without being killed. There were some excellent adverts on the telly at the time with a cute little fella called “Tufty”. Those short little TV videos worked wonders. My 7-year old self remembered the words of Tufty when I went to cross the road and I’m here to tell the tale.
Security awareness training is similar to the training we got as kids to stay secure when crossing the road or talking to strangers and so on. It is an adult version of the security training we got as kids.
Security awareness training works by addressing a number of areas that cause security vulnerabilities. This includes phishing, security hygiene, etc. The training teaches everyone across the organisation about the danger zones and gives them a security hat they can wear in everything they do.
Effective security awareness training works with your employees to engage them in interactive sessions. It makes security awareness fun and in doing so makes it memorable.
A recent report into security awareness amongst employees found that 75% of the organisations had a serious problem in understanding what was the best practice when it came to correct behaviours in cybersecurity and data privacy.
75% of organisations don’t know how to prevent cyber-attacks
We said earlier that 99% of cyber-attacks require a human being to start the process that will result in a data breach. Compound this number with 75% of organisations not knowing how to prevent this, and you have yourself the perfect environment for cybercriminals to operate in.
This, in a nutshell, is why education in the form of security awareness training is vital. Your people are your best chance to protect your company. Make the most of our natural instinct to stop being made a fool of. No one wants to be the person who pressed the big red button and let the cybercriminal in. Using an effective security awareness training package empowers employees to make the right security decisions. The old adage “knowledge is power” is never truer in the current security climate we find ourselves in.
Find out more at SDI20
Edward Whittingham is a former police officer and qualified solicitor, having specialised in fraud and corporate crime at an international law firm. Edward is now the founder and Managing Director of The Defence Works, an award-winning provider of security awareness training, accredited by GCHQ as part of the National Cyber Security Programme.
If you would like to learn more about cyber security and its importance for your company, you will be able to find Edward Whittingham’s session at the SDI20 conference where he will show you how Making Cyber Security Sexy:How to Get Your Employees to Care About Cyber-security.
We hope to see you there!