The need for security awareness has never been higher. Cyber threats are on the rise and cyberattacks are getting more sophisticated.
Companies use security awareness to mitigate human risk. The idea is that security awareness training will result in better employee decision making and better security hygiene. This ultimately reduces the risk to the business.
Today, many companies train their employees to understand how they can follow security procedures to prevent cyberattacks and lower the risk to the business. But this is just scratching the surface of security awareness.
Security awareness training has drastically changed over the years. With the increase in data usage and storage has come the increase in potential risks based on that data. More and more cyber-attacks are being launched every day, and the attacker’s capabilities have expanded. As new information security processes develop, cyber attackers have grown more sophisticated in their methods to get around these systems. It’s a constant game of whack-a-mole. This has forced companies to adapt their security awareness.
Current research shows that almost all security breaches are caused by human error. For this reason, the importance of teaching all employees how to securely do their work is key to keeping company data safe.
Back in the early 2000s, computers were fairly new. Most business owners did not rely solely on computer systems and digital data to run their companies. The largest threats back then were computer viruses that could replicate and spread to other computers. Most companies looked at how they could stay secure via technology, and they completely missed the contribution that humans make in cyber security.
Towards the late 2000s, internet usage rapidly increased. As more companies moved online, more web apps (SaaS apps) were created. Nearly all companies today rely on SaaS apps for workflows and data storage. This expanded digital footprint created a wider opportunity for cyber attackers. It also provided employers with more autonomy in their daily actions and workflows, as well as pushing down more control of apps and configurations to managers and end users.
Around this time, businesses, mostly larger and established businesses, began to realize the importance of teaching their employees about cybersecurity. Ways in which training was implemented included showing staff how to properly identify a malicious attachment and how to properly handle and dispose of confidential information.
Since that time, attacks and threats to employees have evolved considerably. Phishing has become a near daily occurrence for most companies. The number of cyber attacks has increased due to the availability of tools to scale attacks, the access to systems and networks via apps and employees, and the treasure troves of data stores by many companies. Hackers target employee human errors to gain access to company data, such as an employee clicking a link in a phishing email or handing over private information to an unknown hacker via phony websites.
At the same time, the need to build trust with partners, something today referred to as 3rd party assurance, has blossomed into something that is a part of doing businesses. Building trust is required to sign and close deals for most companies. And trust typically comes in the form of security questionnaires or auditing / reporting (think SOC 2). These forms of proof are not only required for larger companies, but for basically all companies today; at Haekka, we have companies as small as 6 using our security awareness platform for SOC 2 and HIPAA audits. And these forms of proof invariably require security awareness training of all employees.
For all these reasons, security awareness has become a huge deal for all companies in 2021. Whether to reduce the risk to the business or to build trust with customers, security awareness is table stakes in 2021.
Security awareness training can take on a number of forms, both in terms of delivery and in terms of content. Today, security awareness most typically bifurcates into security awareness training and phishing simulations. Most security awareness vendors bundle these together.
There’s a myriad of topics that should be included in a security awareness training. These topics can be covered using in person training or digital delivering mechanisms. The most common form of security awareness training is digital and the most common cadence, sadly, is annual. When delivered annually, security awareness is more about checking the box than positively impacting the security of the company.
While phishing simulations are not always required to build trust, they are a great way to assess the risk of the business and to provide real world training to employees. Phishing simulations are often run either monthly or quarterly.
Currently, many businesses do not invest a great deal of money into security awareness. The market for security awareness training has raced to the bottom and driven down the price of training. While many companies are simply checking the box on security awareness training, they are not willing to pay a lot for it. This is starting to change as more and more companies see the need to provide better training and tools to empower their employees to make better security hygiene decisions.
Security awareness is constantly changing. First, the topics covered need to continually evolve to meet the changing threat and technology landscape. Remote work is a new topic area that needs special attention given the transitions to remote work that have been accelerated since 2020. Additionally, new forms of attacks are constantly being waged, whether they be social engineering attacks through collaboration tools like Slack or more sophisticated forms of attacks that are hyper targeted (like spear phishing).
Second, security awareness training needs to evolve to meet the changing regulatory landscape (GDPR, CCPA, etc.). These new regulations go beyond traditional security best practices and define requirements for the handling of personally identifiable information (PII) and communications with users about PII. These mandate new content to educate employees on privacy, not just security awareness.
Third, while digital data has become an invaluable asset for many companies, it is a risk if it is exposed in a security breach. In order to address this increased risk from digital data, companies will need to invest more heavily in effective security awareness that goes beyond checking the box. It’s not feasible to do continual security awareness training that takes large chunks of employee time so creative ways need to be created to deliver relevant content without blocking employees from being productive. In the future, security awareness training will be integrated into the work of all employee.
Over the last 20 years of digital transformation and into the future, there have been rapid advances in technology and the ways in which we work, and this is only going to continue and accelerate into the future. Companies need to invest more time and money into proper security awareness, with the focus shifting towards human knowledge and behavior.
Security is everybody’s responsibility. Employees will need to understand what their responsibilities are with regards to cyber security and best practices for data handling. One small mistake by an employee can cascade to security incidents and data breaches.
Security awareness has evolved since the early 2000s, but it’s an area that needs to be constantly updated and changed in order for companies to protect their data and maintain trust in the market.