The goal of security education is to modify an employee’s behavior so they don’t fall for social engineering.
Social engineering is the art of manipulating, influencing or deceiving somebody to take an action that isn’t in either their or their organization’s best interests.
Why Your Employees Play a Role in Your Credit Union’s Overall Security and Risk Posture
Cyber security threats continue to evolve and become more costly to businesses that suffer a data breach. One reason for that is hackers have realized it’s easier to find someone who may willingly or unwillingly open an attachment containing malicious content than to exploit technical vulnerabilities within computer software, according to Symantec. When it comes to combatting these growing risks, most organizations continue to place more trust in technology-based solutions than on training their employees to be more aware of threats. Social engineering is the art of manipulating, influencing or deceiving somebody to take an action that isn’t in either their or their organization’s best interests.
“The market for security awareness computer-based training is driven by the recognition that, so long as technology-based security systems do not provide perfect protection, people play an undeniable role in an organization’s overall security and risk posture. This role is defined by both inherent strengths and weaknesses: people’s ability to learn and their capacity for error.” –Gartner
There’s a right way and a wrong way to train employees in cyber security awareness. The wrong way approaches training as a once-a-year or semi-annual exercise in which employees are subjected to a long, or sometimes too-brief, PowerPoint presentation. This method treats employees as a passive audience and inadequately engages them. Done wrong, security training feels more like punishment than an opportunity to teach and inspire employees to be active contributors to their organization’s safety.
The wrong way also reflects a one-size-fits-all organizational mindset, which fails to consider that people have different learning styles. They also have varying security awareness needs depending on their role and level of access to sensitive information within their organization.
How to Change Employee Behavior to be less Susceptible to Social Engineering
The most common examples of social engineering are phishing and spear-phishing attacks, which use phone, email, postal services or direct contact to try to trick people into doing something harmful.
“Understanding the diversity of people in the organization is as important to security and risk management leaders as an understanding of how security fits into an organization’s larger goals.” –Gartner
The aim of most social engineering schemes is to get somebody to click on a hyperlink or open an attachment sent in an email that will then give hackers access to the user’s computer. Human beings can become an organization’s last layer of defense only when security awareness training demonstrates to them how susceptible they are to social engineering.
Training exercises that tell a compelling story and put the trainee in the position of somebody who has been targeted, such as a CIO, engage all the senses by making the trainee choose the best course of action in response to a suspicious email. When an employee has the opportunity to select the wrong response to an attack, “that employee definitely has an ‘Aha!’ moment because a big screw-up caused major problems” for his organization, says Kevin Mitnick, chief hacking officer for IT security company KnowBe4, provider of new-school security awareness training.
Learning that dangerous emails often appear to come from reputable organizations or from someone you know and trust within your own organization drives home the lesson: think before you click. Making training interactive ensures it takes deeper root in an employee’s mind.
How to Change Organizational Culture
Changes in behavior cannot be sustained by an organization’s culture without continuous reinforcement. More than ever, employees are the weak link in an organization’s network security. They are frequently exposed to sophisticated phishing and ransomware attacks. Employees need to be trained to remain on their toes with security top of mind.
First, the reward for reinforced behavioral patterns disappears once you take away the immediate feedback an employee gets when they successfully recognize a simulated phishing attack. Second, on the organizational level, the natural turnover translates to a smaller percentage of employees who have been trained rigorously in security awareness. Then there is behavioral drift over time because nothing is being done to help employees sustain new habits. Given that the ultimate aim is to retrain employees’ reflexes regarding online behavior, it’s imperative that managers respond to training results in a constructive, nurturing way instead of a punishing one.
Security Awareness Training
Celero Protex Enterprise Security Awareness Training prepares your employees to defend against cyber-attacks including phishing, spear-phishing, executive whaling or CEO fraud. This program is taught by technical experts and includes baseline testing using mock attacks, engaging interactive web-based training for employees, and continuous employee assessment measured through simulated phishing, vishing and smishing attacks to build a more resilient and secure organization.
If you are interested, find out how we can help you manage the ongoing problem of social engineering and create a human firewall by talking to your Celero Account Executive or contact us.