The Issue at Stake and the Problem to Be Resolved
Consistent with the findings of the 2022 Data Breach Investigations Report1, 82% of breaches involved the responsibility of the human element. Consequently, employees play a critical role in preventing cybersecurity breaches. They are often the first line of defense against cyber-attacks, as well as the most likely source of cybersecurity incidents triggered by human error.
For instance, phishing is up 61% year to year2. More organizations are getting hacked, and phishing remains one of the most commonly targeted attack vectors. Phishing is a form of social engineering whereby cyber-attackers deceive people into revealing sensitive information or installing onto devices malware such as viruses, worms, trojan horses, spyware and ransomware3.
[2] https://www.cnbc.com/2023/01/07/phishing-attacks-are-increasing-and-getting-more-sophisticated.html
[3] Jansson, K.; von Solms, R. (2011-11-09). “Phishing for phishing awareness.” Behaviour & Information Technology. 32 (6):584-593.
Phishing attacks have become increasingly sophisticated and often transparently mirror the website being targeted, allowing the cyber-attacker to observe everything while the victim is navigating the website, and transverse any additional cybersecurity boundaries with the victim4.
[4] Ramzan, Zulfikar (2010). “Phishing attacks and countermeasures.” In Stamp, Mark and Stavroulakis, Peter (Editors). Handbook of Information and Communication Security. Springer/Sci-Tech/Trade, 2010th Edition, 867 pages.
Phishing is basically a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss5. As of 2020, phishing is the most common type of cybercrime, with the FBI’s Internet Crime Complaint Centre reporting more incidents of phishing than any other type of computer crime6.
[5] PHISHING.ORG, https://www.phishing.org/what-is-phishing
[6] “Internet Crime Report 2020” (PDF). FBI Internet Crime Complaint Centre, U.S. Federal Bureau of Investigation. https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf
To further add complexity, bad actors are resorting to more unorthodox methods to compromise people and businesses. Smishing or phishing via SMS, phishing over voice (vishing), and phishing via social media are on the rise. Phishermen are also personalizing messages, in a technique call spear phishing attacks, that are often initiated with an email that appears to be from a trusted source, such as a colleague, friend, or business partner.
The spear phishing email typically contains a request for sensitive information, such as login credentials, or a link to a malicious website designed to steal information or install malware. In a nutshell, spear phishing is a cyberattack method that hackers use to steal sensitive information or install malware on the devices of specific victims. Spear phishing attacks are highly targeted, hugely effective, and difficult to prevent7.
[7] FORTINET. https://www.fortinet.com/resources/cyberglossary/spear-phishing
That increased complexity emphasize the need for organizations to consider good Cybersecurity Awareness Training practices to keep their people safe.
The Importance of Cybersecurity Awareness Training
Cybersecurity Awareness Training focuses on raising awareness among employees about the threats and risks associated with cybersecurity and it provides practical information and advice on how to respond to those risks. For instance, it helps employees recognize and respond to suspicious emails, identify malicious websites, and understand the importance of strong passwords. It covers topics such as phishing, password management, and secure data handling, and is designed to be engaging and interactive to hold the employees’ attention.
The benefits of Cybersecurity Awareness Training include but are not limited to:
Reductions in Risk
by providing employees with a basic understanding of cybersecurity risks and best practices, organizations can reduce the risk of cybersecurity incidents being perpetrated.
Enhanced Information Technology Culture
Cybersecurity Awareness Training helps to build a culture of information technology security within an organization. When employees understand the importance of protecting sensitive information, they are more likely to take cybersecurity seriously and follow best practices.
Compliance
in many industries, Cybersecurity Awareness Training is required for compliance to laws or industry frameworks and regulations. For example, PIPEDA and PIPA necessitate organizations handling personal information to provide privacy training to employees. In addition, organizations subscribing to industry frameworks and standards regulations like ISO 27001 or SOC 2 are required to have regular Cybersecurity Awareness Training for their employees.
Improved Incident Response Capabilities
employees who are aware of the risks associated with cybersecurity incidents are better prepared to respond to them and take appropriate action to minimize the damage. When employees understand the types of threats that they may face, such as phishing scams or malicious websites, they are more likely to detect these types of cyber-attacks when they occur and take appropriate action, such as reporting the incident to the suitable personnel within the organization.
Cost-Effectiveness
providing Cybersecurity Awareness Training to employees is a cost-effective way to reduce the risk of data breaches and other information technology incidents. As the cost of compromise is increasing, establishing Cybersecurity Awareness Training practices is therefore efficient to save organizations significant amounts of money.
Reductions in Cyber-Attacks
by offering employees with a basic understanding of cybersecurity risks and best practices, organizations can reduce the risk of information technology attacks being undertaken.
Establishing Cybersecurity Awareness Training
Establishing strong Cybersecurity Awareness Training is critical to any organization striving to advance its cybersecurity posture. Even though any training efforts will help in reducing the impact of a cyber-attack, a structured organization-wide approach is most likely to be effective.
The Canadian Internet Registration Authority (CIRA) is a Canadian private, not-for-profit, member-driven organization that oversees, promotes and protects the domain name .CA on behalf of all Canadians. CIRA is designing programs, products and services that leverage all the gamut of content the Internet has to offer in order to provide a variety of resources to help secure the Internet for Canadians browsing through the world wide web. In this context, CIRA has developed a five-step guide to successfully implement a Cybersecurity Awareness Training Program8.
[8] https://www.cira.ca/resources/cybersecurity/5-steps-to-implement-training
- Step 1 – Convince management you need training, yesterday
- Step 2 – Evaluate training options
- Step 3 – Prep and launch training
- Step 4 – Analyze results and take action
- Step 5 – Keep cybersecurity top of mind
Phishing Simulations
Phishing simulations are an important component of cybersecurity awareness programs. A phishing simulation is often considered to be more helpful than other types of training when it comes to teaching employees how to recognize and respond to phishing attacks. Phishing simulations allow employees to practice their skills within a safe environment and receive feedback on their performance, which can help them become more aware of the risks associated with phishing and how to protect themselves and their organization from potential cyber-attack threats. Numerous studies have shown the effectiveness of phishing simulations.By incorporating phishing simulations into their cybersecurity awareness programs, organizations can help employees spot and respond to phishing attacks, improve their overall cybersecurity posture, and reduce the risk of data breaches.
Free Resources
The cost of mitigating phishing is rising. The costs are not always palatable for small companies, but the costs of getting breached as a result of being phished are also unsustainable. Conducted in 2020, a recent CDW Canada Security Study found that the average cost of a breach has increased to $6M9. Luckily, there are more resources available that company leaders can leverage at low to no cost. Business leaders should familiarize themselves to some of the free resources below:
- The Simply Secure is an online course developed by the Rogers Cybersecure Catalyst (Toronto Metropolitan University). It provides resources and training to help small and medium-sized businesses grow a culture of cybersecurity within their organization. (https://simply-secure.ca/)
- ISC2: The World’s Leading Cybersecurity Professional Organization has created a Cybersecurity Awareness Training which is free to audit on the Coursera MOOC platform.(https://www.coursera.org/learn/security-awareness-training)
- Amazon provides free multilingual training. (https://learnsecurity.amazon.com/en/training/story.html)
- Jigsaw Phishing Quiz. (https://phishingquiz.withgoogle.com)
- Phishing Quiz. Think you can outsmart Internet scammers? (https://www.opendns.com/phishing-quiz/)
- The US Federal Trade Commission has developed a series of quizzes to help companies learn about cybersecurity. (https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/quiz)
- Top nine phishing simulators [updated 2021] from Infosec Institute (https://resources.infosecinstitute.com/topic/top-9-free-phishing-simulators/)
- Get CyberSafe Canada: a national public awareness campaign created to inform Canadians about cybersecurity and the simple steps they can take to protect themselves online (https://www.getcybersafe.gc.ca/en/blogs/lessons-fighting-phishing)
- [1] CDW Canada Security Study 2020. Cyber Resilience: An Evolving Perspective (https://www.cdw.ca/content/cdwca/en/solutions/cybersecurity/security-study-2020.html)
[9] CDW Canada Security Study 2020. Cyber Resilience: An Evolving Perspective (https://www.cdw.ca/content/cdwca/en/solutions/cybersecurity/security-study-2020.html)