Cyber Awareness and Cybersecurity
The statistics are astounding:
Major Direct Risks to Organizations
- 135 is the average number of detected data intrusions in 2013 per organization (Price Waterhouse report)
- $52,00 - 87,000 is the average monetary loss for each 1,000 data records breached (Verizon report)
- $2.5M is the expected ANNUAL data breach cost for every 1,000 employees in your organization (Aberdeen group)
- 23% of employees will open phishing messages and 11% will click on a link or attachment (Verizon report)
- 50% click on a phishing link within an hour of receiving it (Verizon report)
- 10 emails in a phishing campaign yields greater than 90% chance of having at least one employee clicking on a link in your organization (Verizon report)
- 80% of all email traffic to business is not legitimate, being either phishing or spam (Aberdeen group)
Major Indirect Risks to Organizations
With a typical, medium sized enterprise expected to incur losses of $2.5M each year the stakes in having robust cybersecurity are extremely high. Additional indirect costs make the stakes even higher:
- Interruption of critical business activities and systems
- Loss of reputation in the industry
- Upset and angry customers who may never return
- Legal action against you by those whose data has been breached
- Loss of intellectual property
- Loss of current revenue
- Loss of future revenue
- Fines and penalties associated with loss of sensitive information
Government and Other Initiatives to Boost Cybersecurity
Recognizing the importance of sound cybersecurity and its profound effect on business and the economy, the United States government (NIST) in 2013 provided a framework for improving cybersecurity that includes Cyber-awareness training as a key activity (www.nist.gov/cyberframework). This framework came about following President’ Obama’s executive order 13636 for Improving Critical Infrastructure Cybersecurity.
The United Kingdom’s Department for Business, Innovation and Skills came to a similar conclusion by noting that 70-95% of all network data infections are a direct result of user behaviors.
In a report issued by the Aberdeen Group in 2014, a reduction of 45%-70% in click-through rates of employees after going through human awareness training program was noted.
Price Waterhouse reported that untrained employees result in significant revenue drain. In fact 76% less is spent on data security events when employees are adequately trained. Yet, remarkably, the report noted that 54% of companies surveyed do not provide any kind of cyber-awareness training for new hires.
Drawbacks of Traditional Training Methods
The effectiveness of traditional frontal training for employees has been questioned because of major drawbacks:
- Removing employees from their normal work schedule for lengthy periods of time
- Need for a dedicated training department to organize and train employees in many different groups that are small enough to be effective
- Dramatic drops in information retention in the days and weeks following frontal training sessions
- Inability to ascertain the effectiveness of traditional training by not having a method of measuring behavior after training the employee
- The ongoing financial and organizational burden of continuous frontal training, year after year creates financial and logistical burdens
- Lack of a sense of personal responsibility for individual employees in changing cybersecurity behavior (you cannot manage what you cannot measure)
Because of drawbacks, the training is either not conducted at all (54% of organizations) or it is conducted infrequently with diminished effectiveness as time goes by.
Requirements for Effective Cyber-Awareness Training
From an educational standpoint effective teaching and learning occur when all major learning processes are stimulated:
- Logic center – receiving theoretical information about the subject matter
- Visual Center – Seeing information about the subject matter
- Auditory Center – Hearing information about the subject matter
- Kinesthetic Center –Implementing the theory in real or simulated practice
Furthermore, information needs to be refreshed continuously through these four learning centers in order for it to be retained and then expressed as human behavior. Traditional frontal training usually does not cover all four learning centers and the information conveyed is not retained. The employee is not measured and does not have an individual sense of personal responsibility. Therefore, a computerized cyber-awareness training system is an excellent way to fully realize the huge potential savings (over 70%) in cyber-attack costs through improved human behavior, provided it successfully addresses the following points:
- Training occurs at the employee’s workstation, for brief periods of time on a daily basis. This replaces the need to organize seminars and remove employees from their daily duties. The information is refreshed continuous and leads to changed behavior that follows corporate IT policy.
- Multi-media training focusing both on the theory and practical simulation that addresses the four key learning centers.
- Mock attacks that provide excellent feedback on the risk-level of the organization and the actual cybersecurity behavior of employees on an individual basis, stimulating individual responsibility
- Continuous testing and refreshing of information that tracks personal behavior such as whether a question was answered correctly or whether a theoretical training message was read.
- Effective management system that tracks the cyber-awareness level of each employee so that gaps can be addressed and training can remain relevant, interesting and engaging.