Businesses are still failing to prioritise cyber security awareness strategies, leaving the ‘human factor’ open to criminals seeking to exploit and extort.
Nearly four in ten global organisations are victims of ransomware, with IBM reporting that the average cost of data breaches due to human error stands at over $3 million.
A lack of human firewalling means people have become the primary attack vector for cyber attackers. While businesses are increasing spending on cybersecurity tools, as our latest research demonstrates, there is a worrying lack of strategic focus and underinvestment in security awareness programs.
With many cybercriminals leaning heavily on highly effective versions of ‘old-school’ tactics like phishing, a lack of resources means employees are unable to protect themselves and their businesses from attacks. It’s a situation that academics describe as ‘critical’.
Security awareness is far from mature in today’s businesses
Using our Security Awareness Maturity Model, the new research from SANS shows that over a third (38%) of EMEA businesses have ‘non-existent’ security awareness programs. Employees have no idea that they are a target or that their actions directly impact security, do not know or follow organisation policies, and easily fall victim to attacks.
Nearly a third (29%) of organisations have reached the basic compliance-focused stage, where ad-hoc training programmes meet specific compliance or audit requirements, leading to a similar lack of understanding of policies and the impact of individual behaviour.
Security awareness must be an established part of the organisation’s culture, going beyond changing behaviour to transform people’s beliefs, attitudes, and perceptions of cybersecurity. However, just one-quarter of businesses have a robust metrics framework aligned with the organisation’s mission and leadership priorities to track and measure the impact of security awareness.
In fact, even where organisations have invested in Security Awareness professionals, our research found that more than 69% spend less than half their time on security awareness. Only 18% are dedicated full-time to supporting their awareness program, not afforded the time, scope or staff to perform their role correctly.
The pandemic has exacerbated the situation, leading awareness professionals to report that the workforce suffered greater distraction and overwhelm. In the tumult of lockdown, security awareness was not deemed mission-critical, and criminals quickly took advantage of this lack of focus. Now, new workforce patterns also make spreading security awareness across the business a more difficult challenge but one that must be addressed.
Supporting security awareness professionals to build better defences
As our report uncovered, there are several trends affecting the impact of awareness programmes. A clear indicator of the changes needed is the fact that the most mature awareness programs have the strongest support from company leadership. So how can security awareness professionals across all organisations be more engaged with leadership?
1. Talk in Terms of Risk
Far too often, security awareness is perceived as a compliance effort. To effectively engage leadership, focus on and use terms that resonate with them and demonstrate support for their strategic priorities. Don’t talk about what you are doing, talk about why you are doing it, and specifically demonstrate how security awareness effectively manages your organisation’s human risk.
2. Create a Sense of Urgency
Does leadership perceive the human factor as a significant risk? Leverage data and statistics and work with your Security Operations Center, Incident Response, or Cyber Threat Intelligence Teams to better document key human risks and show how people are one of the most significant drivers of incidents.
3. Communicate the Impact
Dedicate two to four hours a month to collecting information about the impact and value of your awareness program and communicating it to leadership. This information can include informal metrics, established key performance indicators, or success stories. Enable leadership to understand and see the value that your program is providing. For a framework to demonstrate impact, explore our Maturity Model Indicators Matrix.
4. Document Security Team Discrepancy
Security teams are often technically heavy, but as a starting point, we recommended having a ten-to-one ratio of technical security professionals to human-focused security professionals. As mentioned, the human risk factor requires a human response and dedicated talent provides the levels of defence today’s threats demand.
5. Break Down Your Needs
Document all the steps and initiatives you need to take for your security awareness program to be effective. These can include working with Audit and Legal for compliance purposes, partnering with Human Resource and Communications for employee outreach and training, working with IT, developers, and other technical staff to design role-based training, etc. By documenting the number of full-time employees needed and demonstrating the value of these efforts, leadership will have a better understanding of the investment required.
6. Develop Partnerships
The more you can partner with other departments in your organisation, the more effective your team will be. Partner with Communications to help engage and communicate with your workforce and train them. Work with Human Resources to help with new hires or on measuring and building a strong culture. Collaborate with Business Operations to help analyse metrics and data points.
7. Keep it Simple
Training does not have to be complicated or costly, such as complex, gamified computer-based training. It can be something as simple as leading a virtual webcast on ransomware, bringing in a guest speaker from law enforcement to talk about identity theft, hosting an online Ask Me Anything session with leadership, or launching a fun scavenger hunt. What’s important is often you are effectively engaging the workforce and making that training simple to understand.
Addressing the human factor goes way beyond compliance
Security awareness is at a critical juncture. Organisations can no longer justify annual training to check compliance boxes. All organisations need to understand where they fall on the Maturity Model, so they can then plot a path towards transforming their awareness culture, improving the workforce’s behaviour and reducing human error.
This requires the support of leadership as a matter of urgency, and awareness professionals have a crucial role in ensuring leadership is engaged. However, it also requires those same professionals to be supported, properly resourced and appreciated for their vital role. Only when security awareness is a strategic priority can organisations be confident in their cybersecurity credentials.
About the Author
John Davis is Director at SANS Institute in the UK & Ireland. He leads a team of highly experienced cyber security professionals to provide practical insight, advice, and guidance for top security practices, including good cyber hygiene and closing capability gaps to avoid blind spots in defences.
At SANS, John brings together groups of people to create a clear mission in line with the known market need for more intelligent and more effective cybersecurity than ever. His three years with SANS is part of fifteen years’ experience in enterprise leadership, specialising in transformation, and twenty years’ background in some of the world’s largest organisations, providing IT solutions, collaboration tools, and security services.
Featured image: ©Sergey Nivens
