Companies publish reports on their ESG (environmental, social, and governance) efforts, workplace safety and employee well-being, and data privacy and security. However, when it comes to cybersecurity, businesses today need to make an effort to go beyond the training and reporting requirements. Shaun McAlmont, CEO of NINJIO, shares why and how companies need to embrace cybersecurity learning.
Because companies have such powerful incentives to tell the world how well they’re doing on X, Y, and Z, they often attempt to provide this information even when they don’t have concrete programs or outcomes to report. When it comes to cybersecurity, this superficial approach simply won’t work. If a company doesn’t have a robust security awareness training (SAT) platform capable of changing employee behavior and keeping its information and systems safe, it will be vulnerable to potentially devastating cyberattacks. Companies have to assess their cybersecurity capabilities honestly, proactively educate employees on avoiding cyber threats, and determine whether their training programs have their intended effect.Â
Cybersecurity Education should Be Proactive
Over the past several years, many of the most notorious cyberattacks have been examples of ransomware operations – when hackers lock systems or hold data hostage until the victim agrees to pay. When Colonial Pipeline was attacked last year, the company paidOpens a new window the Russian cybercriminal syndicate DarkSide almost $5 million in Bitcoin to restore its operations. Companies responsible for critical infrastructure are especially susceptible to ransomware, as cybercriminals recognize that vital services can’t remain offline for long.Â
Cyberattacks aren’t just costly for companies in the infrastructure sector – they can have massive financial and reputational consequences for any organization. According to the most recent IBM Cost of a Data Breach ReportOpens a new window , 2021 saw the highest average cost per data breach in the 17-year history of the publication: $4.24 million. The cost of a ransomware breach was even higher, at $4.62 million. IBM also found that it takes companies an average of 287 days to identify and contain a breach. It’s clear that companies face long-term consequences for data breaches – lost business accounted for 38 percent of total costs.Â
These are all reminders that companies can’t afford to wait until after a successful breach to address weaknesses in their cybersecurity platforms, but that’s precisely what many are doing. According to Keeper’s 2021 Ransomware Impact ReportOpens a new window , almost one-third of employees lacked adequate cybersecurity training before a successful ransomware attack. 29 percent didn’t even know what ransomware was before the attack.
Because many ransomware attacks rely on social engineering, this lack of employee education is a particularly damaging liability. According to Keeper, phishing emails were integral to 42 percent of ransomware attacks, while malicious websites and compromised passwords were responsible for 23 percent and 21 percent of attacks, respectively. IBM reports that one-fifth of all data breaches could be traced to compromised credentials. Verizon’s 2021 Data Breach Investigations ReportOpens a new window found that 85 percent of breaches involved a human element. It’s no surprise that companies take a much more active interest in cybersecurity training after they suffer a successful attack, but by then, a considerable amount of damage has already been caused.Â
When companies are hit with a ransomware attack, 87 percent say they enact more robust cybersecurity measures. For example, while 93 percent of companies were forced to tighten budgets after making a ransomware payment, more than two-thirds increased their spending on cybersecurity. The most significant post-attack shift was the emphasis on education: 90 percent of companies say they provided employees with more cybersecurity training. Although it’s a good sign that companies realize that under-trained employees pose a grave cybersecurity risk, it’s disturbing that an attack is necessary to spur action.
See More: 5 Cybersecurity Trends Companies Need To Understand in 2022 and Beyond
From Cybersecurity Training to Learning
There’s a clear difference between training and learning. While the former is an input that provides information about a company’s cybersecurity priorities, the latter is an output that demonstrates how effective the company’s cybersecurity training platform is. Companies must focus on cybersecurity learning – evidence that employees can put their training into practice and keep the company safe from real-world threats.
Unfortunately, there are many impediments to building an effective, outcome-based cybersecurity awareness program. For example, security awareness professionals say engaging employees is one of the top challenges they face. This is a significant problem, as engagement makes the difference between check-the-box cybersecurity exercises and programs that lead to sustainable behavioral – and ultimately cultural – change.Â
A core part of developing a culture of cybersecurity is getting stakeholder buy-in at every level of the organization. While IT, HR, and legal departments often support stronger cybersecurity education initiatives, these initiatives can encounter resistance from company leaders responsible for managing costs and productivity. It’s essential for cybersecurity advocates to reach out to skeptical colleagues and explain why a secure organization is good for everyone. They should also address any concerns about cost, efficiency, and other factors that concern managers and department leaders who may be less familiar with the long-term benefits of cybersecurity training. It may seem more efficient to let employees use whatever productivity tools they want in the short term, for instance, but this can increase the risk of a cyberattack which will have significant repercussions.Â
Cost-conscious department leaders may be tempted to create perfunctory training programs so they can check the cybersecurity box and move on, but this will do nothing to keep the company safe. Companies must develop rigorous metrics to track the success of their cybersecurity awareness programs. As companies dedicateOpens a new window more of their budgets to cybersecurity, they should invest in analytical tools that will help them track concrete outcomes and ensure that their resources are being put to good use. The proportion of organizations focused on performance metrics has increased in recent years. This trend will only pick up momentum as company leaders discover that a cyber-aware culture is indispensable to protecting their data, networks, and systems. Â
See More: Why Proactive Cybersecurity Is Vital To Keep Your Company Safe
Building an Aptitude for Cybersecurity Learning
There are many ways to test employees’ cybersecurity aptitude – a crucial component of developing a proactive and effective training platform. For example, companies can use evaluative tools such as phishing tests to determine whether employees are capable of putting what they’ve learned to use by identifying one of the most common types of cyberattacks (a recent PwC reportOpens a new window found that 43 percent of companies have increased the employee report rate on phishing tests). When managers deploy microlearning content such as cybersecurity training videos, they can quiz employees to ensure that they remember the key points. They can also follow up weeks or months later with supplemental information and fresh quizzes to reinforce what employees have learned. Gamification is another tool with a proven recordOpens a new window of engaging employees and helping them retain information.Â
No matter what strategies your company uses to educate employees, the focus should always be on tracking and reinforcing what they’ve learned. It’s easy to develop a cybersecurity “training†program that does little more than distract employees a few times a year with random emails and meetings, but efforts like these will leave your company just as vulnerable to attack as before. A real cybersecurity training platform will give employees the skills to spot and prevent many different types of cyberattacks and adapt to new threats.Â
How do you think cybersecurity learning is different from cybersecurity training? Tell us your thoughts on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to know!