The top threat facing any organization today is the staff member working from a computer! Not because this person intends to do malicious harm to the organization, but because of lack of cyber security awareness and training. Confirmation of this is MediaPro’s 2017 State of Privacy and Security Awareness Report in which they surveyed over 1,000 people and rated their responses to real-world cyber security questions.
Respondents were grouped into 3 “risk profiles” based on their correct answers; Hero (93-100%), Novice (77-92%) and Risks (76% and lower). In summary, 70% of those surveyed scored at the Novice level. It might look that 77% is a solid “C” and 92% is an “A-“. But if you consider one instance of risky behavior, such as clicking on a link in an email, can infect your organization with ransomware, getting a C doesn’t seem like such a great score anymore. Then consider that 70% of your organization is at the “Novice” level of cyber security awareness, the odds of being breached go up.
The 2017 Verizon Breach Report provides some sobering breach statistics;
- 62% were the result of hacking
- 81% hacking related breaches involved stolen or weak passwords
- 66% malware installed via malicious email attachment
- 75% were conducted by outsiders (25% insiders)
- 73% were financially motivated
- 51% involved criminal groups
- 27% discovered by 3rd parties
How do you make your entire staff Cyber Security Awareness Heroes? Here are some easy steps that will substantially improve cyber security awareness.
- Make cyber security awareness a priority in your organization. Discuss it in staff meetings and company-wide meetings regularly.
- Increase training frequency and delivery methods. Taking the same training class year after year does not improve awareness and clearly tells staff it isn’t a priority. Require two new and different training classes per year, preferably once a quarter.
- Hold an awareness campaign where emerging threats are reviewed and positive cyber security habits are encouraged.
- Encourage reporting of security incidents as learning opportunities. Investigate and document security incidents and then review them with the workforce to learn from them. Revise policies and procedures as needed to address process issues.
- If you have access to the data from your IT support organization, publish or post the statistics on the attempts to hack into your network. We all are nice and comfortable behind firewalls and forget how many bad actors are out there.
- Conduct email phishing campaigns to improve workforce email awareness, use and habits.
Your cyber security training program should continue to evolve to keep pace with the rapidly changing cyber threats. If you are a smaller organization, a job role should be assigned the responsibility to keep your training current and fresh.
Our dependence on computers and the Internet will only increase, as will the threat of sensitive data being stolen causing damage to our reputations or ability to do business. It is a small investment to train your workforce to protect your organization.