According to a study by IBM, 95% of cybersecurity breaches are caused by human error. Despite a slight reduction in the total number of breaches in 2020 from 2019, according to a Risk-Based Security data breach report, the number of compromised records reached an all-time high of 37 billion in 2020. In addition to this, there was a 100% increase in the number of attacks with a ransomware component, and the biggest breach of all, Solarwinds, bared records across a wide swath of private and public infrastructure.
For beleaguered IT teams, the biggest challenge in addressing a tsunami of cybersecurity breaches is not the security tools put in place or the monitoring systems that have become increasingly sophisticated with time. It is the training (or lack thereof) for organizational employees who have varying levels of skill when it comes to technology.
To address this challenge, let’s take a closer look at some of the security training tools IT can use to improve compliance from non-technical users who nonetheless have access to vital resources on your network.
Addressing the Costly Boom in Ransomware Attacks
With more than 2,300 ransomware attacks in 2020 and an average cost of $4.4 million for each breach, it’s important to understand how these attacks operate and where they get the information needed to get into your systems. The most common way these breaches are started is by compromising a user’s password, often through phishing attacks. Resources to address these types of attacks include:
- Phishing Risk Test – Infosec Institute offers a Phishing Risk Test that allows you to run a simulated phishing test on your employees to see what your baseline phish rate is. The tool allows you to upload a list of users, choose a template and run a test in less than 24 hours. Before approaching your teams, know what percentage of them understand the risks of these types of emails.
- Google Phishing Quiz – Google offers several cybersecurity training resources as well. Their Phishing Quiz is a useful tool to evaluate how effectively your employees can spot the signs of phishing before they fall victim to it. They are presented with examples of phishing and asked to identify when one is trying to get their personal information. The quiz will also emphasize which elements can be identified as likely signs of phishing.
- OpenDNS Phishing Quiz – Another quiz like Google’s, this one presents potentially false website landing pages and asks the user to identify which ones are trying to steal their information.
With spear phishing representing 91% of all successful cyberattacks, it’s the single most important area you can address in training your employees.
Additional Cybersecurity Awareness Training Tools
Trend Micro estimates that 94% of targeted spear-phishing emails use malicious file attachments (most commonly .RTF, .XLS, and .ZIP file formats), and 6% install malware through links that users might click, so it’s imperative to focus on email and the key elements of an email that might indicate it is not real.
Broader cybersecurity awareness training tools that can help in emphasizing the risk to your employees while providing the resources they need to identify a suspicious email and report it to IT include:
- InfosecIQ – Infoseq IQ offers a library of more than 2000 resources for cybersecurity awareness training. The most valuable component of this service is that it can be customized to your organization, industry, and culture, as well as individual roles within your company. Because the risks are different depending on which employee you’re engaged with, it’s important to present them with different resources. With this tool you can evaluate risk scores for individual employees, report on phishing threats as they become prevalent, and view program data from a single dashboard. Additional hands-on resources are available for addressing high-risk employees.
- KnowBe4 – KnowBe4’s Security Awareness Training offers a combination of baseline testing, simulated phishing attacks to periodically test your employees’ ability to respond to an attack, a library of modules, games, and posters to inform your employees of specific risks, and a dashboard for monitoring activity and performance.
There are dozens of other security awareness training programs available, from online suites of resources like the above options to hands-on training from IT consultants who can support your efforts over time. The most important element is that you have something in place to ensure not only basic cybersecurity literacy but also continuously evaluate and respond to potential threats.
Training Your IT Team
Your organization’s response to cybersecurity threats is only as strong as its IT team. That’s why it’s a good idea to periodically evaluate, assess, and train your IT team on current threats. Some useful resources to do so include:
- National Cybersecurity Alliance Resources Library – The NCSA offers a library of resources for both employee education and IT team review ahead of new and developing threats.
- FedVTE – The Federal Virtual Training Environment offers hundreds of hours of training on topics like malware analysis and cybersecurity that can be helpful for IT teams in highly regulated businesses, whether you work with the federal government or not.
- InfoSec Institute – WIth more than 20 years of experience working with IT teams to better protect their companies from cyber threats, Infosec Institute offers a number of training programs, boot camps, and certifications – including vendor-specific offerings, to help prepare your IT professionals for the next big threat.
Being Prepared for Anything
With the boom in remote work and the shift of many hackers to financially-driven ransomware attacks, many IT teams have been put back on their heels in 2020 and 2021. The good news is that we know why most of these attacks happen. While there’s no way to ever fully control the human element in a business, the right awareness training, frequent monitoring, and testing of employees to ensure cybersecurity fluency, compliance with company policy, and dashboard level reporting can help to reduce the risk of a successful phishing attack leaving your business open to outside actors.
Learn more about how Bedroc works with companies in the financial and healthcare industries to improve cyber literacy and protect data across their organizations. Contact us today to schedule a consultation and discuss the challenges you’d like to address.