To reduce the risk of a cyberattack, organizations must confront the fact that humans are their biggest risk. With limited memories and susceptibility to emotional pressure, employees are prone to making mistakes that make companies vulnerable. The best way to protect your organization from cyberattacks is to train your employees regularly so they have the relevant knowledge and skills to remember what to do if confronted with a potential attack.
Cyberattacks are everywhere. The IBM/Ponemon Institute’s 2021 Cost of a Data Breach report calculated the average data breach costs in 2021 to be $4.24 million, a 10 percent rise from 2020 findings. Moreover, costs were even higher when remote working was a factor in causing the breach, increasing to $4.96 million. The United States was the top country for an average total cost of a data breach for the 11th year in a row.
Business email compromise (BEC) was responsible for only 4 percent of breaches but had the highest average total cost of the 10 initial attack vectors in the 2021 study, at $5.01 million. The second costliest was phishing ($4.65 million), followed by malicious insiders ($4.61 million), social engineering ($4.47 million), and compromised credentials ($4.37 million). All of these statistics could be decreased with proper security awareness and anti-phishing training.
What Is Security Awareness Training?Security awareness training (SAT) is an indisputable need for any company with employees and an online presence. SAT programs play a significant role in creating a security culture by teaching all aspects of cybersecurity and regulatory compliance procedures that are crucial to protecting organizational computers and other devices, systems, and data. Leading courses present best practices in an engaging and memorable way so learners understand the methods and are motivated to carry them out daily. A comprehensive program should cover these topics, including the whys and hows of:
- Basic security hygiene, including IT policies
- Remote workspace and home office security
- Business email compromise
- Mobile device security
- Cybersecurity while in public (proper use of VPN)
- Data privacy, classification, handling and protection
- Spotting and thwarting malware
- Password protection
- Social engineering scams
- Online security
Numerous laws and industry regulations require security awareness training to ensure that employees have been taught basic security practices that protect organizational data. For example, HIPAA and the Gramm Leach Bliley Act (GLBA) both have security awareness training requirements, as do PCI DSS and ISO/IEC 27002. In addition, employees of the federal government and many state governments are also required to take annual SAT.
What Is Anti-Phishing Training?Anti-phishing training is another essential cybersecurity topic for employees. Phishing attacks have increased exponentially over the last decade and can be quite sophisticated and difficult to detect. Targeted messages, known as spear phishing and business email compromise, deliberately use tactics that evade anti-phishing software filters and often come from hijacked legitimate business email accounts. They are commonly used for information gathering, and people share confidential details because there are so few indicators that the messages are illegitimate.
Use security awareness training to educate your staff about common dangers, such as unsecured networks and password reuse, while also demonstrating secure behaviors like using multifactor authentication, regularly backing up data, and avoiding printing sensitive data (especially when working from home).
For more information on security awareness training and anti-phishing training, check out available courses from Global Learning Systems in the OpenSesame course catalog.
Editor's note: This post is adapted from a post that originally published on the OpenSesame website.