Cybersecurity awareness: What it is and how to start
Every October, cybersecurity professionals and enthusiasts alike observe Cybersecurity Awareness Month. Backed by the Cybersecurity & Infrastructure Security Agency (CISA) and National Cyber Security Alliance, Cybersecurity Awareness Month encourages individuals and organizations to own their role in protecting their part of cyberspace.
For many organizations, it’s the perfect time to celebrate cybersecurity awareness and jump-start a training program with the countless resources available. But before we dive into how to use this Cybersecurity Awareness Month to your advantage, we first must understand the role of cybersecurity awareness in keeping your employees and organization safe.
What is cybersecurity awareness?
Cybersecurity awareness involves being mindful of cybersecurity in day-to-day situations. Being aware of the dangers of browsing the web, checking email and interacting online are all components of cybersecurity awareness. As business leaders, it’s our responsibility to make sure everyone considers cybersecurity an essential part of their role.
Not everyone in an organization needs to understand concepts like SPF records and DNS cache poisoning, but empowering every employee with information relevant to their role helps them stay safe online — both at work and home. Role-based training for technical and non-technical staff is the best way to prepare the right people for the right cybersecurity threats.
Cybersecurity awareness could mean something a bit different to your general workforce than it means to technical teams. Management of data, permissions and regulations are topics that your IT team needs to know but aren’t necessarily relevant to the rest of your organization. Delivering the appropriate training to each team is vital to building a cybersecurity awareness program that motivates lasting behavior change.
Why is cybersecurity awareness important?
Similar to safety incidents, cybersecurity incidents can come with a hefty price tag. If you’re struggling to allocate budget to cybersecurity training, tools or talent, you should think about it through the lens of risk management. With an ever-rising number of cyberattacks each year, the risk of not educating your employees on cybersecurity awareness only continues to grow.
Cybercriminals are constantly finding new ways to circumvent the latest defensive tools and technologies, landing themselves in the inboxes and browsers of your employees. In 2021 alone, 85% of data breaches involved the human element, with 94% of malware delivered via email.
These email attacks almost always involve some sort of phishing. Phishing is the fraudulent practice of sending emails posing as a legitimate source to compel victims to reveal sensitive information, such as passwords and credit card numbers. You may have seen phishing emails before, offering you a free TV or asking you to change your password. While an email spam filter will catch many of these, some will still occasionally make it through to your inbox.
Not only is phishing a simple attack to perform, but it’s a Google search away. Anyone who can access the dark web can purchase a phishing kit the way you’d buy a book from Amazon. Your employees will eventually come face-to-face with a cyber incident, and you’ll want them to be prepared to respond accordingly by reporting threats to your IT or security team. Luckily, cybersecurity awareness training can be an effective defense against phishing attacks.
Defending against phishing and social engineering attacks ultimately comes down to knowing what you’re up against. These can come in several forms, but the most common cyberattacks are phishing emails that ask you for usernames, passwords and personally identifiable information (PII). A good rule of thumb is to have healthy skepticism whenever an email asks for personal information — especially emails from an unexpected sender.
This can sound like quite the daunting task for any company, let alone a small business. The reality is that the opportunity cost of not training your employees is too high to ignore. According to IBM, the average cost of a data breach last year was $4.24 million. Thirty-eight percent of companies lost business as a result of a breach, which accounted for over half of the total financial losses.
By training your workforce to identify these attacks, you can significantly reduce the risk of a security incident or breach. This can be the difference between an expensive ransomware infection and a message to your IT department that reads, “This email looks suspicious, so I didn’t open it.”
From awareness to culture
While cybersecurity awareness is the first step, employees must willingly embrace and proactively use cyber-secure practices both professionally and personally for it to truly be effective. This is known as a culture of security or security culture. Security culture is defined as an organization’s collective awareness, attitudes and behaviors toward security. ISACA and CMMI Institute studies have shown that organizations with strong cybersecurity cultures experience increased visibility into potential threats, reduced cyber incidents and greater post-attack resilience, among other measurable benefits.
We can all learn from organizations that have heavily invested in building cultures of safety to drive down workplace incident rates. When organizations saw that safety incidents, similar to security incidents, were costly and dangerous, they invested in preventing them with employee education. For this to be effective, they had to go beyond awareness to ensure employees were embracing safety protocols as part of their workplace culture. Just like you wouldn’t enter a construction site without a hard hat today thanks to OSHA training, building a security culture will make common mistakes like reusing passwords or opening malicious files a thing of the past.
For security culture to be most effective, it’s important to make security training not only engaging but also relevant to employees so they understand how cybersecurity impacts them in and outside of work. Like learning how to bend with your knees, security education can help them at home as well. With today’s hybrid workforce, this mindset is more important than ever. As leaders, it is our role to connect the dots and help employees understand how security education benefits them. When you get there, you can create lasting behavior change and a culture of security.
What can you do to get started?
The best part about cybersecurity training is that it can be customized to your organization’s needs. From a formal security awareness training program to a monthly email with cybersecurity tips and tricks, any cybersecurity awareness and training can significantly impact employee behavior, and can even spur a cultural change in the way your employees view cybersecurity. The real change begins once the individuals buy into the idea that cybersecurity is one of their own job responsibilities.
When it comes to the bottom line, even a small investment into cybersecurity awareness training drives a positive ROI. The most effective programs take a people-first approach to security education. That means aligning training to specific roles, departments and cultures to boost engagement, training relevancy and, ultimately, lasting behavior change.
Many low-cost and free resources are available to help organizations get started with cybersecurity awareness training, especially during Cybersecurity Awareness Month. Every year, organizations like CISA and Infosec create free training kits that serve this exact purpose: to give you a place to start. These tools allow organizations to deliver training modules, assessments and newsletters to keep employees engaged all month long.
Once you get the ball rolling, consistency is key to keeping security top of mind for your organization all year long. Even a simple training module or a monthly newsletter goes a long way to preventing a cyber incident.
Moving forward, you can continue to find great resources on the Infosec resource center and the CISA website.