Security is a top priority for any business, and, as a result, we often see heavy investment in cybersecurity solutions to keep organisations protected – whether that’s zero-trust network architecture, AI-powered security solutions, or security tools included with platforms like Microsoft 365.
However, as effective as these solutions are, there is one potential weakness in your security posture that they can’t always account for: the human element. Building up a wall of defences can only go so far if your users are letting bad actors through the gates.
The role of the human element
According to Verizon’s Data Breach Investigations Report, 82% of breaches involve the human element, which can take a variety of different forms.
We’ve written previously on social engineering attacks, which use manipulative tactics to target unsuspecting users – such as a request to log in to an online tool or portal from a seemingly legitimate spoof email. If a user takes the email at face value and logs into the site, attackers can gain access to their credentials, download malware onto their device, establish backdoors into your network for future attacks, or all of these at once.
Social engineering isn’t the only form of attack that utilises the human element. When it comes to stealing user credentials, attackers can adopt a wide range of different strategies – looking at a user’s social media to guess what their password might be, using automated brute force attacks to try and find the correct username/password combination, or even something as low-tech as looking over a user’s shoulder when they’re working in a public space. Cybercriminals employ these strategies because they’re effective, but that’s contingent on a user’s security awareness. Users who aren’t aware of these risks and aren’t enabled with the knowledge and skills to counter them are more likely to fall victim to these types of exploits.
With visibility over user credentials, cybercriminals can give themselves unrestricted access to your network, and will appear as a legitimate user while they do so. But sometimes they don’t even need to take this step. Unwitting human errors can see that infrastructure areas like public-facing networks are misconfigured, presenting attractive attack avenues for malicious bad actors. For a recent example, the US Transport Security Administration (TSA) had its no-fly list leaked after it was discovered on an unsecured server.
These issues are compounded by the difficulty of bringing in cybersecurity staff to help cover vulnerabilities – as TechRadar reports, there are nearly 3 million unfilled cybersecurity positions around the world today, and the cybersecurity workforce would need to grow by 65% to be able to effectively protect the critical assets of organisations.
As such, it’s clear that the first step to securing your organisation should be to ensure that all your users are security-minded, and aware of potential threats, so they don’t unknowingly open up your defences, and can assist in keeping your business secure.
Making your people a cybersecurity tool
Just as their actions can present a cybersecurity risk, your people can also harness appropriate skills, knowledge and processes to support better cyber resilience. This is where user awareness training comes into its own, giving your people the tools they need to act as another line of defence, detecting and reporting attacks as part of a risk-aware culture.
While you might already be delivering some cybersecurity training as part of your security strategy, it might not be enough – most firms only dedicate a few hours a year to cybersecurity training, with a worrying number only spending a few minutes, leaving users behind on the latest threats your organisation might be facing.
Once training is in place, it’s critical to ensure that security is still top-of-mind for your users. The best way to achieve this is through regular interventions, such as synthetic phish testing, to assess current enablement. With phish testing, your organisation steps into the shoes of a potential cybercriminal, and delivers a spoofed communication in an effort to catch out unsuspecting users. By delivering these campaigns, you can better measure the level of awareness across your team, and identify areas for improvement.
More advanced solutions roll this in as part of user awareness – phish test emails are sent out, and users who click on the links within are automatically enrolled in further training to prevent the same mistake happening twice.
These tests don’t only flag users who are susceptible to social engineering, though. Phish tests also help IT teams check whether users are reporting phishing attempts, and what phishing strategies are more likely to catch users off-guard. All of this furthers user awareness training – if employees aren’t following company protocol to report phishing links, or are particularly vulnerable to phishing attacks which impersonate senior employees, then this can be rolled into future training sessions.
Next steps
If you’re looking to increase your cyber resilience with the effective rollout of dedicated user awareness training, we can help you assess the options and advise on the best solution. To learn more about awareness training, or other ways that we can support your cybersecurity strategy, please get in touch with the team.