This month is EU Cybersec Month- an annual awareness campaign that takes place each October across Europe. The campaign educates citizens and organisations that cybersecurity is a shared responsibility, and encourages individuals to ‘stop, think, connect’ in relation to their online behaviour.
As cybercriminals increasingly target people and focus on the human factor to activate their nefarious campaigns, employees find themselves in the line of fire. And with 90% of attacks using email as the threat vector, it is critical that organisations work to raise cybersecurity awareness and change human behaviour in relation to protection against phishing scams.
This critical aspect to a unified approach to cybersecurity was flagged by Gartner back in 2017 in their Magic Quadrant for Security Awareness Computer Based Training: “People influence security far more than any technology or policy. Security leaders must invest in tools that increase cybersecurity awareness and influence behaviour to support critical security business objectives through computer-based training.”
Here are some key stats on cybersecurity misconceptions to help you drive conversations you’re your stakeholders on the need for security awareness and training:
- Independent survey results* reveal that in the UK alone, almost a third of respondents are unsure about what phishing is and despite the media coverage around Wannacry last year, 56% do not know what ransomware is.
- 35% of UK respondents don’t know what a VPN is.
- 63% of UK respondents think that If you use antivirus software and keep it up to date, it will stop cyberattacks from affecting your computer.
Know who’s being targeted and why:
It’s clear that Phishing Simulation and Cybersecurity Awareness Training for your employees has become more important than ever- but do you know how, or when your people are being targeted? How do you effectively change behaviours to reduce the risk of future attacks?
Your business must work to craft a cybersecurity strategy that protects your people that are being targeted the most- rather than the technology they use. Understand who has access to valuable data, how they are targeted by threats, and who is most likely to click on a malicious link, for example. By taking this people- centric approach, you’ll be able to identify your VAP’s (or Very Attacked People), and take the necessary steps to protect them, and your business.
Make security awareness and training a pillar of your cybersecurity strategy
The most successful Phishing Simulation and Security Awareness Training programmes have not just top down buy in, they also have top down participation. This helps to build a companywide culture of security in which good decision making and the application of cybersecurity best practices become daily pursuits for end users at all levels.
Start by assessing your employees- run simulated phishing attacks and knowledge assessments and review the results. Implement an education programme that is aligned to the end users that need it most, and regularly communicate to your users to increase awareness of the threat intelligence landscape. Finally, measure your programme’s performance, so that you can identify areas for improvement and track progress. Over time, you will see a reduction in employee driven cybersecurity incidents. Royal Bank of Scotland adopted this approach, and achieved a reduction in phishing scams click rates from 47% to 22% in just two months.
To learn more about how to protect your organisation, read this report: ‘Protecting People: A Quarterly Analysis of Highly Targeted Attacks’ to get insight into which of your employees are most likely to be targeted, new techniques that attackers are using, and tips on how to build a people- centered defence.
(*2018 User Risk Report- Results of an international Cybersecurity Awareness Survey- Wombat Security, A Division of Proofpoint.)