Security awareness training is vital for businesses of all sizes.
Many businesses rely on software and policies to keep their data secure, but that’s not enough. According to Verizon’s 2017 Data Breach Investigations Report, 81% of hacking related breaches used weak or stolen passwords.
It’s simple: Employees are the biggest gap in your security wall. No matter how great your software is, it only takes one person to click the wrong link, and you have a massive security breach that costs an average of $100,000 to recover from.
A security awareness training program is key to helping employees understand how to avoid problems and how not to be the person who puts the entire network at risk.
Here are 4 important facts that you need know before you start your security awareness training program.
71% of organizations were successfully spear phished in 2014
Spear phishing is a targeted attempt to gain access to an executive’s credentials, like passwords. This is contrasted with just-plain phishing where a trap is laid in the hopes that someone will fall into it.
Spear phishers target executives, often a specific executive, in an attempt to get into a certain system.
Spear phishing, like most hacking attempts, is a behavior-based hack.
Many business owners think of hackers as using software to break past a firewall or trying to find a backdoor into a piece of software. In truth, over 90% of all hacks occur because someone clicked a link in an email, opened an infected attachment on an email or went to a malicious website.
The 2016 US Presidential campaign hacks were the result of spear phishing attacks. An email was sent out by hackers saying the user needed to change their password. The user did, but it was on a bogus site. The hackers stole their password and data.
Another technique which was used was to infect the network with spyware that was able to observe online activity and the hackers stole their passwords and emails that way.
Over ⅔ of executives have been successfully spear phished. This means that it’s not about intelligence or education; security awareness training is about knowing what to look for in emails and on websites.
Phished people were exposed to an attack for an average of 17.5 hours before antivirus software discovered it
Antivirus and anti-malware software are vital, but they’re not foolproof. Even if a program is actively scanning your system, it might not find a phishing attack for hours, days or it might not find it at all. Most antivirus software doesn't actively scan. Most of this software scans once or twice a day and it requires periodic updates.
For an average of almost 18 hours phishing emails will hang in someone’s inbox, waiting to be opened, before anti-malware software finds it and neutralizes the threat.
This makes teaching staff to recognize phishing emails even more imperative. Lots of folks figure, “We have antivirus software, so if it’s in my inbox, it must be okay.” Dispelling this myth needs to be part of your training.
Security awareness training can reduce a company’s exposure by up to 70%
Few things will give you the ROI that security awareness training does.
According to the most recent IBM Cost of a Data Breach Study, on average, a breach costs $148 per stolen record.
Take a moment to consider that - that means that if you have 100 records stolen, it will cost your company $14,800. A thousand records would be $148,000!
What’s the average size of your spreadsheets or data files that contain client or staff information? Multiply that by $148 and see if you’re willing to pay that amount or the cost of a good security awareness program.
If you can reduce your exposure to loss by 70%, why wouldn’t you do it?
Staff data is often stolen too
When we think of data breaches, we often only consider customer data - information entrusted to us by our customers. Many staffers forget that their data is on the company network as well.
Every employer has their employees’ social security numbers, but that's not all they have. Employees' personal email logins can be found on most systems. Addresses, phone numbers, social security numbers of children and spouses, medical data, emergency contacts’ personal data and more is sitting on the company’s network.
If the network is hacked, there’s a very real chance that employees’ personal data will be taken as well.
What all of this means to your company and staff
All of this is important to understand as you start your security awareness training. Each of these facts is a lesson that needs to be clearly understood.
- 71% of executives were successfully spear-phished in 2014 - Unless one is to assumes that 71% of executives have below average intelligence, being smart has nothing to do with your vulnerability. It has to do with attention to messages and knowing what to look for.
- Phished people were exposed to an attack for an average of 17.5 hours before antivirus software discovered it - Staff can’t rely on antivirus/anti-malware software to protect them. They must be vigilant.
- Security awareness training can reduce a company’s exposure by up to 70% - The ROI of security awareness training far outweighs any costs incurred. In fact, other than locking the front door, there isn’t anything a staff member can do that can save the company more money.
- Staff data is often stolen too - This is personal. Each employee needs to understand that the company’s servers contain their data as well. They need to know that they are as vulnerable as anyone else.
Security awareness training is simply part of life in the modern computer age. It needs to happen.