Avoid a traditional approach to information security awareness training
Over 90% of security incidents are inadvertently caused by employees being targeted by cybercriminals. A chilling fact right? As a result, phishing testing and information security awareness training services have become a fundamental security measure for businesses of every size, across every industry, worldwide.
By Sonia Older
13 December 2021, UK
What is the traditional cyber security approach?
Historically, the traditional information security approach to protecting against cyber-attacks has been to implement technology such as email and web protection, and data loss prevention measures. Whilst these techniques still provide effective protection, the workforce remains the largest security risk so this is where focus should be placed.
In recent years, the most widely used technique to reduce employee-related security incidents has been to execute cyber security awareness training and phishing testing. The National Cyber Security Centre, in its annual review for 2021, recommended – as one of the ten key steps to cyber resilience - educating employees about the risks attached to cyber-crime through an engaging training programme. It has been commonplace to manage this education and training process internally, relying on a nominated member of the team to conduct cyber security training and phishing testing campaigns.
Ultimately, this traditional approach isn’t effective. Let us explain why.
1. How long is security awareness training?
The management of an information security awareness training program plus on-going testing can be time-consuming and very easily escalate into a full-time job. As a result, the management of a self-service approach can quickly start costing your business in time, effort and resource. The demands of integral tasks such as reporting, user list maintenance and license management can also impact on other departments across the business. The consensus of businesses who’ve transitioned from self-service to a fully managed solution is that it’s almost impossible to maximise the success of a cyber training programme without recruiting specifically for the role.
2. Ever-evolving cyber attacks
The default phishing email templates which have been around for years and often used in self-service training or testing, no longer accurately represent those used in successful cyber-attacks. Popular attacks included holiday offers, competition prizes and of course false friend requests as social media started to take off, but these are now very outdated. The cyber-crime landscape is constantly changing with attacks becoming ever-more sophisticated, so the types of emails being used internally to test employees no longer prepare or expose the workforce to the true threats of today.
Methods of attack such as spear-phishing dominate the cybersphere and granular attacks such as CEO fraud and social engineering are the most prevalent methods of a successful, modern-day cyber-attack. This is how phishing testing can be effective; with targeted simulations designed by cyber specialists that replicate the lengths cybercriminals go to deceive an employee.
3. Practice makes perfect
For cyber security awareness training to be fully effective, it needs to be impactful and kept front of mind. The quality of the training needs to be high, in order for the scale of the issue to be clearly communicated and firmly understood by employees. There’s also a risk that the skills learned through the training process can be quickly forgotten if not put into practice. To avoid this situation, an ongoing testing programme needs to be implemented to reinforce the training, with real-life examples of attacks or other methods of testing. It can otherwise be difficult to know how employees would react when faced with a real cyberattack.
What is information security awareness training?
To maximise the effectiveness of information security awareness training and reduce the potential impact of a cyber-attack, the answer is to opt for a fully managed information security training service. A fully managed Security Awareness Training and Testing (SATT) service removes the pressure from your own teams and has minimal demand on internal resources. In a nutshell, this means more time to spend running your business and taking care of your customers. Outsourcing cyber services will also mean you’ll benefit from the expertise of cyber specialists, who’ll implement true-to-life phishing testing. All at a fraction of the cost.
The Cyber Security team at Focus Group have been operating fully managed Security Awareness Training and Testing services for several years now and have helped thousands of customers to reduce their risk level. This managed service is highly customisable and designed with each customer in mind, which ensures the phishing testing is based on the culture of each business to optimise the results. And the training is online and as such, can be implemented at times to suit your business and your team.
Most importantly, the managed IT solutions provided by Focus Group keeps cyber-crime front of mind with ongoing phishing testing. Usually implemented on a monthly basis, at-risk employees are made aware of mistakes they have made and are offered additional training. Combined with one-to-one support from our dedicated cyber account managers, an impressive 0% monthly click rate can be achieved using this approach to cyber awareness training.