How many employees completed your last cybersecurity awareness training? How many clicked on your test phishing bait? Most security and risk leaders test cybersecurity regularly and can report these metrics, but that doesn’t mean they’re actually reducing their organization’s exposure to human-generated cybersecurity risks.
“You need to turn employees into controls that detect and resist social engineering attacks, but security and risk leaders often fail to deliver a security awareness program that produces meaningful changes in employee behavior,” says William Candrick, Director Analyst, Gartner.
Download now: 3 Steps to Keep Employees From Taking Cyber Bait
Cybercriminals have become experts at social engineering, using increasingly sophisticated techniques to trick employees into clicking on malicious links. It’s up to security leaders to provide employees with the information and know-how to better defend against these attacks.
Remote work has only increased the risks as employees use more home networks and personal devices and make their own snap decisions about potential threats. “Sitting in their home offices, employees can no longer casually turn to a neighboring colleague and ask whether an email looks authentic,” says Candrick.
Cyberattacks are growing
Nearly half of all board directors surveyed by Gartner in 2020 saw cybersecurity as a top source of risk for their enterprise. And the risks are only growing.
Recent industry research confirms that the pandemic encouraged cybercriminals to increase their use of proven attack strategies:
- The average cost of a U.S. data breach increased from $8.19 million in 2019 to $8.64 million in 2020.1
- 36% of data breaches in 2020 involved phishing and 16% involved stolen credentials.2
- Some human element played a part in 85% of all breaches, while 10% incorporated ransomware.2
- The average ransomware payment in Q121 was $220,298.3
The volume of attacks, and the key role of humans in allowing those attacks, makes it even more critical for enterprise security awareness programs to impart knowledge to test and build employees’ understanding of cyber risks.
But, more important, those security awareness programs need to teach and reinforce practices that enable employees to identify and respond to suspicious activity when they detect it in their organization — and to avoid making errors with sensitive data.
Download IT roadmap: Cybersecurity
3 actions bolster effectiveness of security awareness programs
Focusing on three key components of the security awareness strategy will help security and risk management leaders ensure they’re investing appropriately in security awareness programs — and that they are actually changing end-user behavior to reduce risks created by employees.
Those three key components of a security awareness strategy are:
Action No.1: Set the vision
Start by establishing a vision statement that lays out the security behaviors desired and required to enable the organization to achieve its strategic objectives.
Do this with a cross-functional working group comprising representatives from across the organization, including core lines of business and support functions. Secure approval from senior management.
The cross-functional team must develop a statement that embodies the “end-state” or the aspiration for the security awareness program and should resonate across the organization, providing a tangible lodestar for employees to follow.
Simple examples include statements like “Our people are our greatest security weapon” or “We have a security-conscious workforce.”
Articulate which signature behaviors would be on display if the organization achieved its desired security awareness end-state. Signature behaviors are those that clearly reflect positive intent and support by end users for realizing the security awareness vision.
Action No. 2: Define tangible, measurable desired behaviors
The core value proposition of any enterprise security awareness program should be to shape employee behavior so that it reduces the likelihood and/or impact of security incidents. Gartner advocates outcome-driven metrics (ODM) to indicate an operational and/or benefit outcome aligned to the behavioral statements in the vision.
Mandatory completion rates and knowledge check outcome metrics come via standard reports available in the majority of security awareness computer-based training platforms. These are useful measures of how many of your end users are completing the security awareness training and how easy it is to understand.
It’s useful information, but does not indicate an effective security awareness program that reduces risk or delivers other tangential business benefits. ODMs measure outcomes that can be tied back to measurable protection benefits.
Action No.3: Link behaviors to measurable business benefits
Once the ODMs have been collated, link those insights to the business drivers that senior leadership really cares about.
Start by measuring root causes of human-generated cyber risks that will deliver benefits if improved — for example, the number of cybersecurity incidents caused by data misuse or human error. Such metrics should improve over time if your awareness program is working effectively (and if they don’t, you know what to improve).
Then link those benefits outcomes to business drivers and benefits — which will relate at most organizations to revenue/growth, cost management, risk management and brand reputation.
1 Cost of a Data Breach Report 2020, IBM Security
2 Verizon 2021 Data Breach Investigations Report
3 Coveware Quarterly Ransomware Report