Why security awareness is crucial for all employees this CSAM

Read on to learn more about the impact of awareness programs on organizations’ security postures, as well as how to deploy successful security training for every employee.

Everyone has a role to play in cybersecurity, and not just those with technical jobs. That’s the theme of this year’s Cybersecurity Awareness Month (CSAM). Every October, IT and IS professionals roll their eyes as politicians pay lip service to security awareness (all while likely re-using passwords across accounts and clicking on suspicious links). But the importance of security awareness—for all—should not be underestimated. 

In this newsletter, I’ll explore the CSAM theme of “See Yourself in Cyber” in tangible ways, highlighting the difference between a well-informed, security-conscious workforce and one that fails to make security education a priority. Hint: There’s a lot more than company culture on the line. Those that downplay the impact of cyber-ignorance need only look at both IBM and Verizon’s 2022 reports demonstrating how human error is once again the leading culprit behind most cyberattacks, data breaches, and security incidents. 

Yet, this is not new information. We’ve known that social engineering, and particularly phishing, continues to be one of the most successful attack vectors against businesses. And credential theft is on the rise by 30 percent. That’s why corporate cybersecurity policies, awareness education, and phishing tests exist in the first place. Are they just not working? Read on to learn more about the impact of awareness programs on organizations’ security postures, as well as how to deploy successful security training for every employee.  

Cheers, 

Marcin Kleczynski 

CEO, Malwarebytes 

Why security awareness is crucial in protecting businesses against cyberattacks

Seasoned IT/IS teams are likely familiar with the three pillars of a strong cybersecurity posture: people, process, and technology. People refers to having well-trained employees following security best practices. Process represents the security controls and protocols that are codified, implemented, and socialized among staff. And technology is, of course, the antivirus, anti-malware, and other security software deployed to protect the organization. All three pillars should be analyzed for potential risks, with those that jeopardize critical business data prioritized over the others.  

Since its inception in 2004, Cybersecurity Awareness Month (CSAM) has offered guidance and resources for individuals and businesses to raise awareness about each of the security pillars. Eighteen years after its founding, Americans are undoubtedly more aware of cyberthreats. But they’re as insecure online as ever. Kevin Coleman, executive director of the National Cybersecurity Alliance who has run CSAM from the start, admitted in a 2020 Washington Post article that the organization had, up until then, focused much of its energy on technology and process, and not enough on changing human behavior. 

Indeed, this year’s CSAM theme of “See Yourself in Cyber” sets its sights squarely on people, urging individuals to make smart cybersecurity decisions whether on the job, at home, or at school. Interestingly, the call to action is not only directed at the IT/IS professionals responsible for safeguarding business networks, devices, and data, but also to non-technical employees, families, partners, service providers, and aspiring security professionals. Essentially, the message is: Anyone using the Internet needs to adopt security awareness. 

They’re not wrong. Research has shown that people continue to be the weakest link of organizations’ security infrastructures and are ultimately responsible for 82 percent of all data breaches. When the CSAM program first began, the cost of cybercrime was practically negligible for businesses. This year, the price tag is expected to swell to $6 trillion. If cybercrime were a country, it would be the third-largest economy behind the US and China. Is one month of awareness annually enough to combat such threats? 

And for all the focus on raising security awareness, many companies (and their employees) still don’t follow basic cyber hygiene conventions designed to reduce their threat surface. To determine whether more awareness is the answer for controlling the cybercrime dumpster fire that is 2022, it’s important to first understand exactly how people are influencing the occurrence of security incidents and breaches. The results…are not pretty. 

To err is human 

Here are the facts on the ground: Most analysts agree that employees are a business’ biggest vulnerability. Of the four key paths for cybercriminals to access business networks—credential theft, phishing, exploited vulnerabilities, and botnets—two are distinctly a people problem. Credentials and phishing led to close to 70 percent of all security events last year, both of which are the result of lax security awareness. 

Stolen credentials, such as a person’s username and password, were not only the most common origin of breaches in 2021 but also took the longest to identify (327 days) and cost $150,000 more than the average compromise. In addition, credentials were exfiltrated in 44 percent of data breaches, meaning they’re not just the most common cause—they’re also the prevailing effect. And when 82 percent of users admit to re-using their credentials across accounts, they render each of those networks vulnerable, too. 

Social engineering is another key driver of breaches, with attacks split evenly between phishing and business email compromise. Phishing, or fraudulent emails sent to trick users into handing over personal information (like credentials), still causes close to 20 percent of business security incidents, despite the attack vector’s ancient age in comparison to all other technology trends.  

Considering only 2.9 percent of employees actually click on phishing emails, you may wonder why cybercriminals still bother. For one, email is where threat actors can easily reach their targets. And since that 2.9 percent figure cuts across all industries and organizations, it’s more than enough people ensnared for criminals to keep it in their arsenal. Smishing, or SMS phishing, has gained in popularity as well, especially where folks are accessing work emails and documents on their personal cell phones. 

We can’t let IT/IS professionals off the hook when it comes to security awareness, either. Error led to 13 percent of breaches, with a good portion the result of misconfigured cloud storage. That’s because many cloud data storage implementations are stood up without appropriate access controls. Despite major cloud provider efforts to make default configurations more secure, these errors still persist. 

This is by no means an exhaustive or comprehensive list of cybersecurity’s people problem. (We haven’t even talked about lost or stolen assets, such as devices, or misdelivered documents.) Clearly, an increase in security awareness is necessary. But do employee education and training programs actually help? And if so, how should we measure their effectiveness?  

Pros and cons of awareness training 

Security professionals have heard that training can improve behaviors, both in the day-to-day and in design. Simple changes like reviewing communications with skepticism and storing passwords in a password manager can make a world of difference for a business’ security posture, and a securely-coded software program will repel exploits by nature. In 2021, people spent an average of 175 minutes per year in security training—just under three hours. Yet, human-centric breaches are still so frustratingly common. 

This has led some researchers to suggest that perhaps awareness training is not the panacea it’s cracked up to be. In a 2016 study investigating the efficacy of cybersecurity awareness programs, authors cautioned over-reliance on training at the detriment of systems architecture. Instead of awareness, some security professionals argue for reforms that would force companies to produce more secure products and place better privacy protections on data. “People will make mistakes, and infinite resources applied to awareness won’t change that,” said Phil Reitinger, CEO of Global Cyber Alliance, in a separate article. 

However, most security professionals (including Reitinger) agree that awareness is essential. And there is evidence that training, done properly, can improve awareness and change behavior for the better. In a recent study, 80 percent of organizations said that security awareness training had reduced their staffs’ susceptibility to phishing attacks. That reduction doesn’t happen overnight, but it can happen fast—with regular training shown to reduce risk from 60 to 10 percent within the first 12 months. Employees are getting better at identifying phishing, too, with an increase of about 10 percent in phishing test emails reported over the last half decade. 

Crucially, the methodology, content, and frequency of awareness training programs are integral to their success. Here’s what research shows is working today: 

  • Regular, reinforced education: Training should be a regular activity, with security concepts reinforced periodically—ideally every 4–6 months. Programs that are only offered as one-time sessions cannot truly change user behavior. 
  • Comprehensive curriculum: Comprehensive programs should include more than phishing tests and address a wide range of threats and risk scenarios. Failing to make the most of available programs or rolling out incomplete training exercises leaves the company vulnerable. 
  • Don’t just inform, integrate: A number of awareness programs, including CSAM, tend to be more informative without integrating into employees’ daily activities or leading to disciplinary actions. To be effective, there must be some kind of consequence for employees who fail their training—or reward for those that pass. 
  • Make it a game: Game-based cybersecurity education has been proven effective in reaching both high school students and professionals. In fact, team-based gamified training that engages all levels of employees has been shown to be 16x more effective than standard training programs. 

For employees to truly benefit from cybersecurity training, they must accept that security awareness is important, know how to respond in a crisis, and be willing to act in the face of many other demands. Involving non-technical employees on security committees and practicing incident response through table-top exercises and simulated cyberattacks will foster a culture of cybersecurity at your organization while cementing awareness instruction as a pertinent exercise for all.  

Long story short: There’s no silver bullet awareness program that will remove all human error and negligence. Rather, think of awareness training as shoring up one leg of the three-legged people-process-technology table. If there’s too much focus is on awareness, the table will wobble and tip. Not enough…the same result. Recognize that the security of your business depends on a comprehensive commitment to cybersecurity from all employees through vigorous adoption of processes using the safest technology available. The rest is gravy. 

For a helpful cheat-sheet on how to effectively test and measure the results of security awareness training programs, check out Appendix C of the 2022 Verizon Data Breach Investigations Report: https://www.verizon.com/business/resources/reports/dbir/2022/appendix/  

For more information on Cybersecurity Awareness Month, take a look at CISA’s webpage of guidance and other resources: https://www.cisa.gov/cybersecurity-awareness-month  

For an example of a recent interesting security awareness campaign, read our blog on Malwarebytes Labs: https://www.malwarebytes.com/blog/news/2022/10/security-awareness-campaign-highlights-things-your-bank-will-never-say