Cyber Awareness and Cybersecurity

Regulations are Mandating Cyber-Awareness Training

All over the world, government regulators are mandating cyber-awareness training and imposing stiff fines for the mishandling of personal data. The European Union’s GDPR (General Data Protection Regulation), which affects any company – regardless of location – that collects personal data from EU people, mandates cyber-awareness training. Fines for data-breaches and misuse of personal data are significant. Recently, AMAZON was hit with an $877 million dollar fine for misusing personal data. Well-known companies like British Airways and Marriott were fined tens of millions of dollars for data breaches directly related to phishing attacks that could possibly have been avoided with proper cyber-awareness training.

The GDPR imposes severe fines that can reach the greater 20M Euro or 4% of an organization’s worldwide revenues.

The EU GDPR is not alone. Most modern countries worldwide have regulations in place, or are in the process of enacting them. These include various states in the United States, with California being at the forefront in data protection regulations. Israel has strict data privacy in place and continues to refine them based on the regulations evolving abroad.

The stiff fines that organizations are exposed to for data breaches cover only the regulator’s interest in the way data is handled. Organizations still have additional and substantial exposure to financial damage arising from lost business, lost customers and other lawsuits.

The Statistics Are Astounding:

working documents legal law barrister prosecution legal adviser lawsuit detective-investigation advice justice concept

Major Direct Risks To Organizations

  • In 2022, more than 50% of personal devices were exposed to a mobile phishing attack each quarter.[1]
  • The potential annual financial impact of mobile phishing to an organization of 5,000 employees is nearly $4 million.
  • Organizations operating in highly regulated industries – including insurance, banking, legal, healthcare, and financial services – were the most highly targeted enterprises.
  • Non-email based phishing attacks are growing rapidly, with a seven-fold increase recorded in Q2 of 2022.
  • Losses to phishing attacks increased by 76% in 2022, with almost one third of companies losing money to successful phishing attacks.[2]
  • In 2022, 4 out of 5 organizations surveyed (based on a global survey of 7,500 working adults and 1,050 IT security professionals) experienced at least one successful phishing attack, with more than half of those experiencing at least three successful phishing attacks.
  • 63% of adults surveyed thought links in emails always direct them to the matching website or brand.
  • In Q3 of 2022, the Anti-Phishing Working Group (APWG) observed 1,270,883 total phishing attacks, a new record and the worst quarter ever observed.[3]
[1] Lookout Global State of Mobile Phishing 2022
[2] Proofpoint 2023 State of Phish Report
[3] APWG Phishing Activities Trends Report Q3 2022
creative visual business data analyzing technology

Major Indirect Risks To Organizations

With a typical, medium sized enterprise expected to incur losses of $4M[1] year (in mobile phishing attacks alone) the stakes in having robust cybersecurity are extremely high. Additional indirect costs make the stakes even higher:

  • Interruption of critical business activities and systems
  • Loss of reputation in the industry
  • Upset and angry customers who may never return
  • Legal action by those whose data has been breached
  • Loss of intellectual property
  • Loss of current revenue
  • Loss of future revenue
  • Fines and penalties associated with loss of sensitive information
[1] Lookout Global State of Mobile Phishing Report 2022
african american woman manager focused computer work multi ethnic office

Drawbacks Of Traditional Training Methods

The effectiveness of traditional frontal training for employees has been questioned because of major drawbacks:

  • Schedule-based training that does not gauge the actual skill level and network behavior of the user.
  • Removing employees from their normal work schedule for lengthy periods of time
  • Need for a dedicated training department to organize and train employees in many different groups that must be small enough to be effective
  • Dramatic drops in information retention in the days and weeks following frontal training sessions
  • Inability to ascertain the effectiveness of traditional training by not having a method of measuring behavior after training the user
  • Requirements for ongoing financial and organizational resources in implementing continuous frontal training, year after year, creates financial and logistical burdens
  • Lack of a sense of personal responsibility for individual employees in changing cybersecurity behavior (you cannot manage what you cannot measure)

Because of these drawbacks, training is either not conducted at all (54% of organizations) or it is conducted infrequently with diminished effectiveness as time goes by.

 

businessman blurred background using-antivirus block cyber attack

Requirements For Effective Cyber-Awareness Training

From an educational standpoint effective teaching and learning occur when all major learning processes are stimulated:

  • Logic center – receiving theoretical information about the subject matter
  • Visual Center – Seeing information about the subject matter
  • Auditory Center – Hearing information about the subject matter
  • Kinesthetic Center –Implementing the theory in real or simulated practice

Furthermore, information needs to be refreshed continuously through these four learning centers in order for it to be retained and then expressed as human behavior. Traditional frontal training usually does not cover all four learning centers and the information conveyed is not retained over time. The employee is not measured and does not have an individual sense of personal responsibility. Therefore, a computerized cyber-awareness training system is an excellent way to fully realize the huge potential savings (over 70%) in cyber-attack costs through improved human behavior, provided it successfully addresses the following points:

  • Training occurs as it is truly needed, for the topics in which the user is deficient, based on the user’s actual behavior as recorded in SIEM logs.
  • Training occurs at the employee’s workstation, for brief periods of time on a daily basis and when Human SIEM dynamically identifies a deficiency. This replaces the need to organize seminars and remove employees from their daily duties. The information is refreshed continuous and leads to changed behavior that follows corporate IT policy.
  • Multi-media training focusing both on the theory and practical simulation that addresses the four key learning centers.
  • Mock attacks that provide excellent feedback on the risk-level of the organization and the actual cybersecurity behavior of employees on an individual basis, stimulating individual responsibility
  • Continuous testing and refreshing of information that tracks personal behavior such as whether a question was answered correctly or whether a theoretical training message was read.
  • Effective management system that tracks the cyber-awareness level of each employee so that gaps can be addressed and training can remain relevant, interesting and engaging.

The Q-LOG platform with Human SIEM is the most effective and leading cyber-awareness training system.

Q-LOG stimulates all learning centers of the human mind: Logic, auditory, visual and kinesthetic using multi-media tutorials at the user’s workstation.

The Q-LOG Human SIEM solution includes:

  • Customized training based on actual user network behavior
  • Mock attacks as a training tool and as a way to gauge the at-risk level of the organization
  • Personal profiles for each user based on their network behavior and their performance from mock-attacks and tutorials
  • Personal profiles are used to automatically push new cyber-awareness content to the user across all attack vectors: web-browsing, phishing links, mobile phones, usb devices and Wi-Fi