Training & Awareness: A Difference-Maker in Cybersecurity

The human element plays such a pivotal role in cybersecurity. At a business level, one of the most powerful ways to strengthen your security strategy is to invest in and improve cybersecurity training and awareness programs—here’s why.

The Human Threat

A recently commissioned study here at Nuspire on the top CISO buying trends found that end-users are a significant concern point for decision-makers. In fact, 50 percent of surveyed CISOs and IT decision-makers cited human error as the primary reason for IT vulnerabilities.

It’s not that the employees who use IT systems are inherently incompetent or reckless. But cybersecurity knowledge doesn’t come naturally to most people. Good cyber practices require training in and ongoing awareness of how to safely use systems and avoid common scams.

Training provides the knowledge for users to avoid misconfigurations, better secure their accounts, safely handle sensitive data and evade social engineering attacks. But without transforming learning materials into practice through ongoing awareness, efforts to bolster the human element in cyber defenses are likely to fall short. When users are trained but not aware, they often forget in the moment about avoiding the behaviors that would compromise cybersecurity or acting wisely and cautiously.

The strange contrast in modern cybersecurity is that despite the proliferation of advanced (and useful tools) to protect systems and data, successful attacks often exploit mistakes in user behavior. Social engineering attacks are particularly effective at using psychological manipulation to exploit untrained users.

When considering the human element in cybersecurity, you’ll often see resources focusing on threats from malicious insiders who purposefully exfiltrate data or install malware on their own employers’ systems. These stories perhaps gain more media traction due to the almost movie-like narrative of employees going rogue.

However, unintentional threats from people acting without sufficient knowledge or awareness represent the bulk of cyber risks internally for businesses. Addressing the human threat makes investing in better training and awareness programs a necessity.

Infamous Breaches Caused by Employee Errors

To get more of a flavor of the behaviors people engage in and the consequences that follow when cybersecurity training and awareness programs are either ineffective or neglected, let’s take a look at three high-profile breaches caused directly by human error.

• Twitter: A Bitcoin scam propagated on Twitter by compromising the accounts of over 130 individuals, each of whom had at least 1 million followers. The threat actors obtained access to these accounts by sending spear phishing emails targeted at Twitter employees, who provided access to internal tools. These internal tools enabled the attackers to take over targeted accounts.
• Toyota: A European subsidiary of the Japanese car manufacturer lost out on $37 million when an internal employee was duped by a third-party hacker who posed as a business partner. The “business partner” sent a phishing email that convinced someone working in the accounting or finance department to transfer the sum.
• Pegasus Airlines: In 2022, security researchers uncovered 6.5 terabytes of sensitive data (equating to around 23 million documents) in an AWS S3 bucket belonging to the Turkey-based airline. An employee left the S3 bucket unsecured without any password or access controls.

What Makes for Effective Cybersecurity Training and Awareness?

Here are some tips on what to incorporate into your training and awareness programs to improve knowledge about cyber threats and ensure mindfulness of best practices.

• Tailor training materials to the situations and contexts that different employees in various business departments find themselves in daily. The information you want users to learn and remember is much more likely to resonate when it’s relevant to how they actually work and what systems they use.
• Consider splitting up materials into smaller quantities of engaging modules throughout the year instead of the often tedious drudgery of employees having to make their way through several modules at once just to hit a specifically mandated deadline.
• Use simulated attacks as a good way to maintain awareness among users about social engineering. These scams are becoming more targeted and sophisticated; there’s nothing like a real-world situation with no advance notice to help test current levels of awareness about social engineering.
• Prioritize educating users about the biggest cyber threats to your specific business and industry. Make sure to update this in line with the prevailing threat landscape, using threat intelligence feeds and industry reports.

Metrics to Improve Cybersecurity Training and Awareness Programs

When cybersecurity training and awareness programs don’t work, it’s often because they are allowed to stagnate. Completing the bare minimum level of mandatory training modules is seen more as a box to tick and satisfy internal IT compliance teams. Improving your program starts by reviewing it regularly and evaluating its performance by collecting useful metrics. Here are some ideas to consider.

• Garner the level of interest in training materials using self-reporting metrics and figure out whether ongoing awareness resonates via indirect observations (e.g., percentage of monthly cyber awareness newsletter emails opened).
• Module completion rates are also a potential proxy for the level of engagement with learning materials or the effectiveness of your organization’s messaging around the importance of end-user cybersecurity best practices.
• Anonymous surveys are great for gauging the level of cyber awareness at your company without the results being skewed by personalizing and shaming people for not knowing or remembering safe cyber practices.
• Counting the number of IT security policy violations over defined periods and comparing results can help to understand whether your program is actually influential and effective enough to change behaviors.

It’s vital to put people at the heart of your cybersecurity strategy. In a company with a strong cybersecurity culture and effective training and awareness, you can mitigate against some of the most common attacks that still work with startling regularity at even the largest companies.