The threat risk is coming from inside the organization
Cybersecurity awareness training is the one weird trick you need to keep your data safe
All of the careful layers of defense your organization may put in place to keep your information safe--cutting-edge software tools, hardware and cloud security packages, around-the-clock monitoring, data encryption--can only stay standing if you actively address your organization's greatest vulnerability: your people. As Thursday Bram of the Young Entrepreneur Council says,
"No matter how paranoid your IT department is, the people in your organization are going to make decisions every day that impact your risk level. The more you can educate your team on the concepts behind cybersecurity, like privacy, the less likely your team is to do something that could cause a problem (like picking up a USB drive in the parking lot and plugging it into a company computer)."
In the context of information security, “social engineering” is the act of using psychological manipulation to gain access to restricted physical or digital spaces, or to trick people into sharing sensitive or confidential information. Precision-targeted “spear phishing” attacks are the fastest-growing cyber-threat to organizations. Because of their contextual sophistication--a message might mention a recently attended industry conference, for example, or appear to come from a top-level executive within the company--spear phishing emails can slip through filters more easily than spam.
The 2014 Cyber Security Intelligence Index reported that 95 percent of all security incidents involve human error. If your employees are the vulnerability which data thieves try hardest to exploit, your best defense is a good offense. You need to arm your employees with knowledge, training, and constant reinforcement to stand firm against the tactics that can undermine every other IT bulwark against invasion.
What is cybersecurity awareness training?
The SANS Institute describes security awareness as "the specialty of managing human cyber risk." Essentially, that comes down to making your employees the fulcrum for addressing both deliberate and accidental threats: not only bad-actor hackers but also staff themselves who can inadvertently drill holes in your security perimeter through simple carelessness.
Information security professionals provide cybersecurity awareness training through in-person and online live classes and computer-based self-learning for employees. The aim is to increase knowledge, change attitudes and improve behaviors, helping your people understand the threats to your organizational security and train them to take the right steps to stop those threats.
Why does your organization need cybersecurity awareness training?
- Regulatory requirements. Federal regulations covering different types of organizations recognize the integral role of people in maintaining IT security. Know what regulations like HIPAA (Health Insurance Portability and Accountability Act), FERPA (Family Educational Rights and Privacy Act), FISMA (Federal Information Security Management Act of 2002), PCI-DSS (Payment Card Industry Data Security Standard (PCI-DSS), GLBA (Gramm Leach Bliley Act) and SOX (Sarbanes-Oxley) require from your organization for cybersecurity awareness training compliance.
- Shifting threats. Ongoing training helps keep your employees aware of the latest attempts to take advantage of human frailties. Social engineering wears many faces; your people need to know how to watch for signs of spear phishing, social media scams, and new tactics that wax as others wane.
- Personal devices and the Internet of Things. Employees' personal devices--laptops, tablets, smartphones and watches--as well as the increasing integration of connectivity in our environments (Amazon's Echo, coffeemakers, HVAC controls, and biometric access authentication tools like face, voice and fingerprint scanners) are opening up the cybersecurity threat landscape. Employee awareness and best practices reinforcement are key to preventing gaps in your security perimeter.
There is no perfectly secure environment. You and your organization need to build your own band of vigilant ninja warriors to preserve the integrity and confidentiality of your data and devices. Cybersecurity awareness training is their boot camp and officer school, and you can't afford to wait to call class into session.