Address the human factor in cybersecurity.

Initiative #3.

Insider incidents—accidental or malicious—will be a factor in a third of all data breaches in 2021.*

^{- Forrester "Forrester Predictions 2021: Cybersecurity"

October 2020}

Cybercriminals and nation-state hackers are exploiting human vulnerabilities, and no one is immune to security slip-ups. While organizations have been engaging in security awareness activities for years, escalating threats and data privacy concerns require us to advance our efforts.

Traditional security awareness training often centers on regulations such as HIPAA, PCI-DSS and more recently, the GDPR and CCPA. But implementing a security awareness program is much more than a check-the-box compliance exercise. It’s a business function designed to reduce business losses.

If you don’t provide users with specific information about how they should respond under certain circumstances and continuously motivate them to practice behaviors that promote your security goals, the responsibility for any damage they cause lies with you.

Did you know?

59% of employees are not fully confident they could identify a social engineering attack.
^{Osterman Research “2020 State of Privacy and Security Awareness Report” 2020}

The global average cost resulting from insider threats—including negligent employees or contractors, malicious insiders, and credential thieves posing as insiders—is $11.45 million.
^{Ponemon Institute 2020 Cost of Insider Threats Global Report}

The better informed that employees are about key issues, the more likely they are to be better able to defend against social engineering and other attacks. It's that simple.
^{Osterman Research “2020 State of Privacy and Security Awareness Report” 2020}

The importance of continual cybersecurity training

Security awareness training works hand in hand with technical controls. In addition to solutions that help mitigate attacks and human error — such as data classification, email security, endpoint security, privileged access management (PAM), and user and entity behavior analytics (UEBA) — security awareness training platforms can help educate employees and assess their security readiness.

They offer delivery via a variety of digital endpoints and provide both ready-to-use and customized content of different lengths (one- to two-minute microlearning lessons, interactive lessons, and episode-based, Netflix-like shows) in styles that can be tailored to specific roles or audiences.

Insider threats are tough, and external controls aren’t going to be effective against a true insider. Companies should focus on threat hunting. Having a team—or outsourcing to a qualified professional team—to look for threats in the network is key to identifying malicious insiders and unauthorized exfiltration of data.

Kevin Mitnick, Chief Hacking Officer,
KnowBe4 on defending
against malicious insiders

Constructing an
Effective Security
Awareness Program:

5 Best Practices

1. Consider Your Corporate Culture
Work with senior management and employees to develop a strategy that blends your security awareness program with your existing corporate culture. Key considerations include your industry, workforce demographics, and what’s relevant to different locations, departments, and roles.2. Set Goals And Be Flexible
Identify the top concerns and risk factors in specific areas of the organization, and develop a calendar of activities to address them. Set reasonable, incremental goals and be prepared to make changes if initial approaches fail to produce positive results. Be repetitive in the reinforcement of key messages, but not in how they are delivered. Diversify media and determine what drives the most change.3. Gamify Your Training
Incorporate gamification to encourage active engagement. True gamification is a reward system that positively reinforces learning; it can motivate your employees to take training seriously, so that they have a chance of winning. What you reward them with depends on your corporate culture.4. Prioritize Collaboration Over Punishment
Human error is inevitable, regardless of how strong your program is. Make sure employees understand exactly what their role is, and take a “more carrot, less stick” approach that treats security incidents as learning opportunities rather than cause for punishment. If users worry they’ll be reprimanded or even fired for security-related mistakes, they’ll be far less likely to report them.5. Measure Your Efforts
Take baseline measurements related to current phishing susceptibility and cybersecurity knowledge levels, and put metrics in place to assess the impact of your program over time. Compliance metrics that focus on employee participation should be accompanied by behavior-related metrics that focus on whether you’re preventing more attacks, detecting more incidents, and ultimately reducing more risk over time.