Cybersecurity is one of those fields where success is measured by the absence of incidents, and when they do occur, the situation is all the more dire. According to IBM statistics, the global average cost of a data breach in 2023 will be USD 4.45 million, up from USD 3.9 million in 2020 and growing.
However, even today, many organizations do not seem to have a high level of cybersecurity awareness or the desire to invest in it. Fortinet's 2023 Security Awareness and Training Survey found that 56% of IT and cybersecurity leaders said their employees still lack the knowledge or awareness to keep company assets safe. I understand that you feel that you are there. IBM's 2023 Cost of Data Breach Report found that 57% of organizations are more likely to pass on the cost of a cyberattack to their customers rather than invest in improving security.
That's not surprising. Budgets are tight, talent is expensive and hard to find, and organizations that have never really felt the pain of a cyberattack may be less inclined to devote resources to cybersecurity. But can anything be done anyway?
The answer is to train your employees
You can strengthen your cyber defenses simply by making your employees more aware of good practices. This is especially important since most cyberattacks target employees. According to the same Fortinet research data, 81% of cyberattacks in 2023 were phishing attacks. This includes emails and texts that try to get employees to provide their credentials to a fake girlfriend website, download and install malware, or even provide information or money directly to scammers. This is a message. And other attackers.
So, is there an inexpensive way to train and embed cyber awareness in your workforce? There's actually more than one way. Cybersecurity providers should regularly test employee awareness by confronting them with real-world “threats” in real time and giving them instant feedback on how accurate their responses are. Recommended. Here are four such simple tests.
Send your own “phishing” emails
Do your employees tend to open or click on anything? Create your own risky links or suspicious websites and send your own messages or emails to your employee database to encourage them to open or click on those links. Encourage them to log in. And when employees fall for it, they get the message that they were fooled. It's harmless, memorable, and easy to set up with automation.
Set up your own malware trap
Do your employees randomly install all kinds of apps and programs? They do the same thing as phishing emails. Create your own dangerous software that locks your employees' computers, send it to your employee database, and see who falls for it. He has to bring in IT assets to unlock it, and if he's reprimanded for installing questionable material, even if it's harmless, that lesson remains.
Send reminders during high-risk seasons
Cyber-attacks spike during festive seasons such as the upcoming Holi festival. Set up automatic reminders for your employees to avoid opening greeting emails or clicking on suspicious links. You can track the open and read rates of these messages to understand whether people are actually paying attention.
Testing people with social engineering
If your IT team has the knowledge and time, you can use generative AI to create fake personas (like another department, a vendor, a customer, etc.) and allow these fake personas to trick people into offering See if you can get them to provide the information you need. Keep secrets. This is especially important today as many cybercriminals are already using generative AI to trick unsuspecting victims. By running your own internal “scams” you will educate your employees that such tricks can be performed.
Why do these methods work?
Quite simply, the above tests will strengthen your employees' cybersecurity awareness and make them less willing to make mistakes in harmless ways. Such tests are based on psychological research showing that emotional experiences improve learning, memory, and attention. Surprised and embarrassed people receive messages reprimanding them for risky or stupid actions, and they are encouraged not to do it again without feeling the pain of financial loss, as if they had actually lost money on the action. You'll remember. .
These tests also communicate an organization's security expectations more clearly than written policies or one-time employee training. They generate data that helps organizations better understand what their employees know and how they train them.
So if you're short on resources and unable to hire the cybersecurity talent you need, the next best option is a simple, low-cost way to teach your employees to reduce the risks they pose to your organization. It's perfect.
