Security Awareness Training in the New Normal
Cybersecurity awareness training that was ‘right’ pre-pandemic may not be “right” in the new normal, as work-home boundaries blur and change over time.
- Experts believe that a new push and pull between the office and work from home will result in a permanently hybrid workplace.
- Email has been a particularly fraught medium for businesses of all sizes during the past year.
- Ongoing cybersecurity preparedness is critical, yet nearly eight in 10 companies in 2020 had their business disrupted, incurred a financial loss or suffered some other setback due to lack of cyber preparedness.
- 5 tips for better cybersecurity awareness training.
Hackers know an opportunity when they see it, and the abrupt shift to work-from-home due to the global COVID-19 pandemic was an opportunity like no other. For many organizations, the sharing of sensitive business information went from in-office conference room to in-home Zoom, and from secure corporate networks to home Wi-Fi. Add to this a user community that was confused, overwhelmed and ill-prepared to manage their home life and home IT systems amid a global pandemic, and it was like shooting fish in a barrel for bad actors.
Ongoing security preparedness is critical, yet, nearly eight in 10 companies in 2020 had their business disrupted, incurred a financial loss or suffered some other setback due to their lack of cyber preparedness, according to Mimecast’s State of Email Security 2021 (SOES) report. Email security was of particular concern: More than 40% of businesses fall short in one or more critical areas, and 13% of businesses don’t have an email security system at all, according to SOES respondents.
As Email Volume Increases, So Does Email Risk
Email has been a particularly fraught medium for businesses of all sizes during the past year. Eighty-one percent of SOES survey respondents said the volume of email expanded during the last year, with a 64% increase in email threats alone. Seventy percent of respondents said they expect their business to be harmed by an email-borne attack — a number that is not surprising when you learn that employees are clicking on three times as many malicious emails as they had before the onset of the pandemic.
What employees are clicking on is increasingly likely a phishing attempt: 63% of SOES respondents said they are facing a surge in targeted emails that attempt to lure employees into clicking on a malicious link or attachment.
According to Deloitte, phishing emails are the No. 1 delivery vehicle for ransomware: “The motive behind this is that phishing emails are easy to send and lead to a faster return on investment (ROI),” the firm wrote. It also said the main purpose of phishing emails is to deliver ransomware, and that phishing emails with the highest click rates include content that targeted users would expect to see in their day-to-day work.
Ransomware, BEC Attacks Rising
Alarmingly, the Mimecast SOES showed that more than six out of 10 companies were disrupted by a ransomware attack last year, resulting in the loss of six days of work on average. Business email compromise (BEC) attacks in the form of impersonation fraud also rose, with 51% of the survey participants reporting an increase.
End users are clearly a big part of the problem, but the good news is that they can also become a big part of the solution — with the right training. However, cybersecurity awareness training that was “right” pre-pandemic may not be “right” in the new normal, as the definition and boundaries of the corporate workplace blur and change over time.
Cybersecurity Awareness Training Tips
Here are some steps to take to ensure that employees have a high — and continuously evolving — level of understanding about security at home and in the office.
Treat employees as allies: Employees who understand what’s at stake and why certain security measures, like two-factor authentication or a VPN, are in place will be more invested in doing their part to protect the company, its brand and, ultimately, their job security. By protecting the company, employees are also protecting themselves, especially as the hybrid workplace extends into their own home networks and devices.
Be specific: Security awareness training should be tailored to the needs of each individual business, focusing on specific industry-related concerns. Security awareness training for employees at a healthcare organization, for example, should not be exactly the same as security awareness training for retail workers. Organizations should provide training that takes into account specific employee situations, such as the security issues and needs of employees who will be fully remote versus those who will be working a hybrid schedule and those who will be in the office full time.
Provide examples: Examples are very powerful. Provide practical, relatable examples of how common cyberattacks such as email phishing scams can impact — and perhaps have impacted — the organization and individual employees. Be sure to provide examples in a variety of office and home environments so that users across the organization can connect. This will help keep employees aware that their role does make a difference.
Make it easy to do what’s right: The harder it is for employees to do what’s right, the less likely it is that they will. Keep training short, simple and relevant. Provide information in an easily digestible and accessible format that is meaningful to employees’ work. It’s also important to make resources — for example, a checklist for spotting a phishing email or the contact information for security support — easily accessible.
Recognize employees’ level of technology expertise: It’s likely there will be a wide range of technical expertise among employees at your organization. Forcing a very tech-savvy employee to go through a Phishing 101 course is only going to engender bad feelings. Give employees the opportunity to “test out” of specific training, while recognizing and accommodating those who need even more support than general training is designed to provide.
The Bottom Line
The past year has presented challenges no one could have foreseen. No individual or organization will come out on the other side of the pandemic unchanged. Cybersecurity awareness training was always critical for protecting a company’s data, employees, customers and brand, but it, too, must change and evolve to align with a new way of living and working.
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!