While a talented 24/7 security operations center using good security tools can prevent the vast majority of threats, still people play a critical role on the front lines of your organization’s cyber security efforts.
Let’s take an example, an employee, Anna, is checking her personal email at work and opens an email that promises she will lose $10 within the next week. She clicks the link inside the email and without her realizing it; this action deploys a malware on to her workstation. Not only is the malware now on her system, but it is also infiltrating the network.
Only 22% of information workers are concerned about security at their organization. Why? Because poor security awareness is the single biggest obstacle to defend against cyber attacks.
Security awareness is a way to ensure that everyone at your organization has an appropriate level of knowledge about cyber threats, along with a sense of the potential impact it will have on the business and the steps required to prevent cyber attack from infiltrating their workspace.
The way we see it, the first line of defense in any security posture is your controls: how you enforce security best practices and prevent successful compromise. The second line of defense is detection: how you identify attacks or attempted breaches, or how you know whether your controls are working. The third line of defense is your people: how aware they are of security and what they are doing to avoid being a weakest link.
A good security awareness program should arm your third line of defense by educating them about the first and second while giving them the tools they need to do the right thing day in and day out.
Simply put: People are the weakest link in any organization's cybersecurity defenses. This overly stated fact possibly will sound like a buzzword, but a quick glimpse at incident records, such as the famous Target case, or the more recent WannaCry massive attack, will show that even with the best technology in place, if the human factor is not taken good care of, the levels of exposition to threats, and subsequent impact, is way higher than what most would call acceptable.
Security awareness programs are important because they reinforce that security is the responsibility of everyone in the organization (not just the security team).
Remember that study we mentioned earlier? Last year the FBI reported a staggering $12.5 billion has been lost due to email fraud.
Now consider that many of the high profile breaches we have read about recently in the news originated from a single successful spear phishing email.
Below are some of the breaches that are the result of the lack of security awareness across the organization.
The 2014 Yahoo hack was significant, endangering up to 500 million users, which included usernames, phone numbers, security questions, answers, password recovery emails and cryptographic values associated with each account.
The 2014 Yahoo attack used a spear phishing attack targeting “semi-privileged” Yahoo employees. One employee fell for the email, granting the attacker access to the Yahoo network and allowing them to dump the Yahoo users database.
In May 2017, one of the biggest phishing attacks in history left organizations such as the NHS, FedEx, Nissan and Hitachi crippled. This attack hit more than 150 countries and 200,000 computers worldwide, and was sent via an email that would trick the recipient into opening attachments, which then released malware onto their system. Investigations found that many users (including the NHS) had not installed patches from Microsoft, leaving them vulnerable to WannaCry’s rampage. Alongside this, the NHS were told that they were at risk of a cyber-attack, and did very little to prevent it.
According to Secure works, 2018 Incident Response Insights Report, 42% of attackers gain entry from successful phishing scams, reinforcing the need for ongoing employee education.
It all began when the company’s top executives received fake Apple ID verification messages via email. Each email redirected the recipient to a phishing website, which accessed the Apple information of these executives. The attackers also used the information to gain access to LinkedIn profiles of the employees, as they tried to access Sony’s network. The attackers crippled the networks, making off with a 100 data terabytes.
Here are some benefits of Security Awareness Program that show how it can help protect your organization from attackers, and other bad actors.