Getting your awareness training right is essential for cyber resilience
Cyber-related fraud is at its highest level since 2008 according to the latest research – a stark fact that makes information security awareness learning for employees more vital than ever.
The recently published KPMG Fraud Barometer 2017 has identified a 1,266% jump in cyber fraud since 2015 and a resultant loss of £113M for UK businesses – an eight-year high which shows every sign of increasing. The statistics are only from cases which reached court and show the importance for organizations, given the pace of technology and business change, to keep abreast of cyber threats and maintain protection. But this only touches the surface as many more such incidents will never reach court.
“This only touches the surface as many more such incidents will never reach court.”
Hitesh Patel, KPMG’s UK Forensic Partner, said: “You can have a variety of IT protections in place to defend yourself, but it’s all for nothing if you are tricked into giving away the keys to the electronic vault.”
The reality is that the biggest cyber vulnerability is human error and research has proven that 90% of cyber-attacks succeed because of the unwitting actions of someone in an organization, regardless of their role or seniority. To avoid giving away those precious keys, management and company boards need to understand fully these risks whilst also acknowledging no organization is totally bullet-proof from attack.
“We know that 90% of all successful cyber-attacks succeed through human error.”
Training your staff to be cyber-aware
The most important line of defence are your people. Organizations need to ensure that their employees are fully engaged, and equipped with the right knowledge and skills to understand their roles and responsibilities in maintaining resilience.
No longer is it enough just to provide an annual compliance-driven security awareness course. Details are quickly forgotten and the required behaviours are not instilled and sustained. Training has to be memorable, tailored and continuous to ensure people have the confidence and ability to protect the most sensitive and valuable information. The risks and impacts are too great for ignorance to be a valid excuse, especially when the General Data Protection Regulation (GDPR) comes into force in May 2018.
A new approach is needed for greater organizational cyber resilience – one where learning is a continuous and sustainable over time. An effective and engaging cyber awareness training programme should follow the following guiding principles:
- Buy-in and involvement of those at the top is vital to illustrate just how seriously the leadership team takes cyber resilience
- Reinforce, refresh and evolve the learning content and delivery techniques. Combine engaging online learning with offline activities such as events and team learning
- People learn differently so use a lively mix of online formats to enable people to choose their preferred learning style to provide the same ultimate learning outcomes
- Great campaigns have great stories so go beyond technology and jargon and talk about business impacts and personal consequences of a breach. An example is ‘Whaling for Beginners’, a serialized thriller written for RESILIA™ about the catastrophic consequences, both personal and professional, of a cyber-attack on a packaging company and its partners
- Stay agile so you can adapt, fine tune and pilot new techniques. Don’t be afraid to use news of the latest attacks to show how they could affect your organization and consider identifying team ‘mentors’ or ‘champions’ who can be involved in the design of the learning.
The future success of any organization will be grounded in recognizing that all of their employees’ play a crucial part in maintaining cyber resilience. Training needs to be memorable so it creates a greater and deeper awareness of the threats and dangers so that individuals and the organizations they work for don’t become unwitting victims of attacks, which are often simple to instigate but devastatingly effective if successful.
Visit www.axelos.com/resilia-infosec-conundrum to download my chapter on the new approach to cyber resilience in ‘Managing Cybersecurity Risk: How Directors and Corporate Offices Can Protect their Businesses’ published by Legend Business. You can also request a RESILIA Awareness Learning demo by completing the form.
Read the first post in this series, The Information Security Conundrum: 5 Key Lessons for Effective Information Security Training.