Security awareness precipitates security change. That is what thousands of cybersecurity decision-makers worldwide understand, and it shows in budding security awareness training (SAT) programs. In the SANS 2024 Security Awareness Report, security awareness practitioners from over 70 countries around the world shared their insights, candor, and challenges when it came to raising the level of cybersecurity awareness in their own organizations.
Social Engineering Is the Top Human Risk
When asked, 89% of all practitioners responded that social engineering presented the most salient human risk in the threat landscape today. Social engineering, in this context, refers to:
- Phishing (email-based)
- Smishing (text-based)
- Vishing (voice-based)
The report noted a rise in both the amount of and sophistication of the latter two. There are several possible reasons for this:
- Detection tools are doing their jobs and catching more phishing instances.
- AI is generating harder-to-catch campaigns using deep fakes, convincing “voices,” and perfect grammar and punctuation in any language.
Threat actors could also be experiencing more success in these areas because mobile devices are harder for organizations to track and secure. As the line is blurred between personal and work devices, attackers who infiltrate one could easily pivot to another, and defenses are often considerably lower (if not non-existent) on machines intended for personal use.
Following social engineering (89%), the next most prevalent sources of human risk were ranked as passwords/strong authentication (45%), detecting/reporting incidents (43%), artificial intelligence (31%), and social networks/social media (19%), with a handful of others in tow.
Most Prevalent Program Challenges?
Respondents cited:
- Lack of time (41%)
- Lack of staff (37%)
As the two challenges that presented the most trouble with implementing effective security awareness training programs. (“Lack of budget” came in third at 29%.) As the report points out, “Awareness practitioners have too much to do and too few resources to do it.” So, what is the solution?
It’s best to start small. Realize that a modest SAT group won’t have company-wide sway at first, so it’s best to get buy-in from the top levels. Leverage People Experience/Human Resources and engage with other departments to get them on board. When they see how cyber incidents can negatively impact their goals, deadlines, quarterly results, and even professional reputations, they’ll be a lot more willing to listen.
And don’t forget to align with cybersecurity at the very beginning to identify the top risks plaguing your organization. If you want to address only one issue at a time, let it be the most important one first.
When it comes to time, remember that a little goes a long way. Engaging and interactive training modules don’t take forever and requiring a few every week (even one) can have more lasting effects than cramming a 40-hour course into a week. The easier it is to integrate a SAT program into the daily routine of your employees, the more likely their bosses will be to allow them to take the program.
While time and staffing issues may be perennial, there are always creative ways to work around them.
Who Helps and Who Hinders?
As with any new initiative, there are those in favor and those against — “supporters” and “blockers,” as the report puts it.
To be expected, IT and information security departments were the strongest supporters of security awareness programs. And in the past, Finance and Operations have been the two strongest blockers. However, this year’s report introduced a new blocker, and that new addition took the cake: mid-level managers.
The final rankings for the top five entities most likely to impede the progress of security awareness programs shook out to be:
- Mid-level managers (246)
- Finance (205)
- Other (193)
- Operations (170)
- Communications / branding (134)
Mid-level managers have a high personal responsibility to make sure their teams deliver results, and on a deadline. Anything “nice” but not “necessary” can easily be shafted in favor of the immediate or (perceived) higher goal. Making these kinds of executive decisions is what they are paid to do, and they do it well. The job of security awareness supporters is then to show them how SAT programs do align with their department goals — or how one security breach on their watch could vastly overshadow other success.
Improve Your SAT Program with Fortra’s Terranova Security
Companies are waking up to the reality that all hands are needed on deck given today’s threat landscape. Your employees are there anyway; they can either help, or potentially harm.
When it comes to building a security-first organizational culture within your enterprise, you need a vendor that understands your organization. Fortra’s Terranova Security implements security awareness training custom-fit to your individual needs and designed to drive lasting behavioral change. Leverage dozens of distinct modules to train your workforce to be your eyes and ears when it comes to cyber defense, educating them with interactive courses, quizzes, gamification and more about anything from incident reporting and cloud services to working remotely, social networks, and more.
As cyber threats permeate every crevice of the modern enterprise, no employee is left unscathed. Your personnel will come face-to-face with significant security challenges, and by getting ahead of them with proactive SAT courses, you’ll prepare them to counter them when they come.
Source: https://www.fortra.com/blog/89-of-security-awareness-programs-are-focused-on-social-engineering-in-2024