Training at All Levels Protects Organizations, Customers and Employees
When it comes to security awareness and training, the primary focus is on managing end-user risk. And rightfully so, as an uneducated, unprepared end user is likely to exhibit much riskier behaviors than one who has been trained to recognize and respond to cyber security threats.
The question is, who do you think of when you think about “educating your end users”? Do you think about a top-down, organization-wide effort? Or do you exclude certain people — like executives, high-level managers, and/or IT employees — from your “they need to be trained” group?
It’s not unusual for training managers to focus their efforts on “lower-level” employees, excusing certain departments and job roles from cyber security education under the assumption that technical skills and/or levels of organizational investment and access render some employees impervious to social engineering attacks. Other times, groups are excluded for the simple reason that program managers don’t feel comfortable suggesting to their peers and superiors that there are topics they don’t know enough about.
Here’s the thing: Cyber criminals are only too eager to exploit the upper rungs of the corporate ladder. We feel the assumptions, excuses, and exclusions that are happening within some organizations are contributing to the rash of successful business email compromise (BEC) attacks that have extracted W-2 data and stolen funds. And there is an interesting side effect to some of these attacks: Instead of a junior employee compromising top-level people and systems, it’s the complete opposite, with a senior staff member turning over sensitive tax, healthcare, or employment data and creating major headaches for the entire organization.
Build a Culture of Security from the Top Down
The customers we’ve seen have the most success — and the best results — with their security awareness training programs are those whose executives participate in cyber security initiatives and encourage their employees to do the same.
A good example of this can be seen in our most recent case study, which showcases the results one of our utility customers is experiencing with its anti-phishing training efforts. (Since 2013, the utility has seen a more than 67% reduction in susceptibility to phishing attacks.) The program is delivered and discussed organization wide, and the utility has established a security advocate program that boasts more than 700 members in a variety of job functions and roles.
But the most important aspect is that all employees participate in the program — including those in high-level positions. In discussing the results with us, the utility’s security awareness training manager emphasized the value of executive buy-in, saying, “Our leaders really do support the cyber security team and this program. And that resonates with our employees, because they know if they are hearing it from the top, they need to take it seriously.”
It’s clear that the top-level buy-in isn’t just lip service. In fact, the training manager and her team used the customization functions available within our ThreatSim® simulated phishing attacks to create a whaling campaign that specifically targeted executives and directors — with their approval. These mock attacks showed how social engineers can use publicly available content (from Google searches and LinkedIn profiles, among other sources) to create highly personal and deceptive spear phishing emails. “We thought and acted the way that attackers are thinking and acting every day,” the training manager said. “It was a valuable lesson for our executives to learn, and a very effective way for them to learn it.”
Train Every Potential Target
It’s a simple fact that anyone within an organization can be a target, and there are any number of ways they can be victimized — a reality we have seen play out in countless news stories. And though entry-level and junior staff members are often targeted as being the “problem children” of cyber security, the access and authority granted to senior personnel mean that a higher-level breach can be far more costly to an organization, its customers, and its employees.
The rise of BEC attacks and their damaging ripple effects simply cannot be ignored. And the assumptions that certain employees “know better” while others don’t must be abandoned — particularly if you are not delivering effective cyber security education throughout your organization.
Looking to get executive buy-in for your security awareness and training program? Our Case Studies and Proof of Concept documents highlight real results from a variety of industry segments.
Subscribe to the Proofpoint Blog