- Accenture notes that 85% of organizations have reported that they experienced phishing and social engineering attacks in 2019.
- The same reported also identified that Malware is the costliest type of attack for organizations, costing organizations, on average, a whopping $2,613,952.
- Cybersecurity Ventures expects that global spending on security awareness training for employees will reach $10 billion by 2027!
This Ask the Experts session stems from a question originally posted on Quora regarding the primary purpose of instituting a security awareness program.
In the information security world, it is a well-known fact that humans are, typically, the weakest link in an organization’s security program, when not adequately trained. However, with appropriate training, humans can be the determinant of whether an organization can defend itself against a cyber-attack or end up on a major news outlet, or blog, for losing hundreds of thousands of sensitive corporate records. To educate the workforce on emerging cyber threats, and how to defend against said threats, companies have invested in security awareness programs.
Many topics that can be included in a security awareness program; but, all reputable security awareness programs must include discussions on social engineering (typically with an emphasis on phishing emails), malware, and password best practices at the very least. Additional topics often discussed are social media and operational security, establishing a clean desk policy, and mobile device security, if an organization allows employees to connect their personal devices to the corporate network, and so forth. Let us briefly look at what is often included in discussions regarding social engineering, malware, and password best practices:
Social engineering is essentially an art form. In many instances, scammers have in many cases mastered the art of exploiting the human psyche – capitalizing on fear, uncertainty, and doubt, to trick unsuspecting victims into divulging sensitive information. Security awareness programs underscore the tactics, techniques, and procedures utilized by con-artists in scams, such as, phishing emails that are used to capture an individual’s password, social security number and or other sensitive data, or to install malware on a victim’s device.
Social engineering can be used to install malicious software, known as malware, onto a victim’s device. It is impossible to defend against attacks 100% of the time; therefore, it is important that security awareness programs examine the tell-tale signs of malware being present on a victim’s device. It is important that employers provide employees with an overview of the indicators of compromise (IoCs) typically associated with a malware infection. Consequently, employees will be better prepared to notify the appropriate parties that their device is infected, and help to detect, contain, and eradicate malware before it propagates throughout the corporate network.
Password Best Practices
Hackers do not have to develop an elaborate plan of attack to compromise an organization’s IT assets. They can easily compromise an administrative account that has a weak password, break into said account, and utilize a legitimate account to steal, destroy, or modify data to complete their objective, all while covering their tracks. To help safeguard an organization and it’s assets, security awareness programs should discuss password best practices, such as: how to create a secure password, avoiding the reuse of passwords, and how to enable multi-factor authentication.
We truly live in an always-connected world where organizations are continuously expanding their technical ecosystem. Cyber threats are constantly changing, and security is now more than ever, the responsibility of every employee. Security awareness programs provide employees with the fundamental knowledge required to identify and report organizational cyber threats that stem from common attacks, such as, social engineering, malware, and lax password policies.
Interested in learning more about the pros of establishing a security awareness programs, or would like to schedule a security awareness workshop with us? Contact us and we will be glad to assist you with your security awareness needs! Do not forget to click here to subscribe to our weekly newsletter for more information security related tips and tricks.