October is Cybersecurity Awareness Month, an annual event that promotes safe online behaviour and encourages organisations and individuals to do their part in the fight against cybercrime.
By Brian Pinnock, vice-president: sales engineering at Mimecast
With the growth of online threats and increased digitisation of our personal and professional lives, maintaining safe online behaviour has become essential in organisations’ efforts to halt devastating cyberattacks.
Building a culture of cybersecurity that permeates every layer of the organisation is an important step to push back against cyber threats and ensure companies can work protected.
Cyber threats put security awareness in spotlight
In Mimecast’s State of Email Security 2023 report, two-thirds of South African of respondents said cyberattacks are growing increasingly sophisticated. 52% reported being harmed by a ransomware attack, while 92% said they were targeted by email-based phishing attacks.
In response, organisations are deploying layered security strategies that protect data and communications. Additionally, one of the most important components of any strategy is protecting people, which includes offering regular and impactful security awareness training.
Unsurprisingly, 99% of organisations surveyed as part of Mimecast’s State of Email Security 2023 report provide some form of cyber awareness training to their employees. By educating employees about different types of cyberattacks and how to avoid them, organisations minimise the human errors that are so often the cause of breaches.
Yet, despite offering training, eight in ten respondents still believe their company is at risk due to inadvertent leaks by careless or negligent employees.
Why the disparity?
For starters, just because training is being offered, doesn’t mean it’s happening on an ongoing basis. Regular training will constantly remind employees of safety best practices, keep cybersecurity top of mind, and acquaint them with the latest cyberattack types and techniques. This is the first important step in creating a cyber-aware culture.
Measuring for success
One aspect of organisations’ security awareness efforts that is often neglected is measurement. Without measurement, organisations can only hope their awareness training efforts bear fruit.
After all, employees simply going through the motions of the security training programme are unlikely to offer much resistance against cyber threats. What really matters is that the awareness training programme changes behaviour.
And while organisations can certainly augment their human capabilities with security solutions designed to detect and avoid threats – for example, AI-powered security providing contextual warnings to end-users in real-time – nothing can match a cybersecurity culture that permeates the entire organisation.
An important step toward establishing an effective security awareness programme is setting top-level goals such as risk reduction, enhanced workforce behaviour and reputation protection.
When these goals are tied to broader business objectives, security teams are more likely to design and implement security awareness programmes that support business priorities, empower employees and strengthen the organisation’s security fabric.
Building a cybersecurity culture
While every organisation’s needs will be unique, the common qualities of an effective security awareness programme include:
* Starting with the basics – Although cyberattacks are growing increasingly sophisticated, it’s important to start with the basics. This includes healthy password hygiene (such as using complex passwords and not relying on single passwords for multiple online accounts), basic device safety (such as never leaving a laptop or computer unlocked and unattended and locking smartphones with passwords), and eliminating physical security mistakes such as leaving passwords stuck to laptops with sticky notes.
* Fighting the phish – In the past year, 59% of local organisations that formed part of Mimecast’s State of Email Security 2023 experienced an increase in email-based phishing attacks as the use of email continued to rise. Organisations should train employees to spot and avoid suspicious emails, links and text messages and show examples of emerging threats, such as deepfake audio and videos.
* Collaborating carefully – Collaboration tools have become indispensable to the hybrid work environments that have become the norm over the past few years. These tools can also introduce enormous risks to organisations. In new research by Mimecast, 93% of South African cybersecurity decision-makers said they have experienced a cyber threat via collaboration tools. And despite 79% saying they had effectively communicated the security vulnerabilities of collaboration tools to employees, 41% of employees claimed they hadn’t received any collaboration tool security training. To close the gap, organisations should provide specific training about the security risks inherent in collaboration tools.
* Removing the fear – Companies that utilise emotive topics for the simulated cyberattacks they deploy as part of their training, such as emails about bonuses or salary increases, risk creating barriers to learning among employees. Instead, organisations should remove fear or resistance with simulated phishing tests that are more likely to make them stop and think, prompting positive employee actions. For example, avoiding clicking on risky links and reporting threats to security teams. The focus should be on rewarding safe online behaviour, not tricking or punishing employees.