According to IBM’s 2021 Cost of a Data Breach Report, the average cost of a data breach worldwide in 2021 was $4.24 million, while the average cost of a data breach in the U.S. for the same year was $9.05 million. While these numbers are staggering, what is more disheartening is that the number and costs of data breaches have continued to increase on an annual basis with no relief in sight.
The potential cost of a major IT data breach has been a growing topic of discussion in the boardrooms of companies across the globe. For many years the predominant approach for effective mitigation was to increase the budget under the responsibility of the CISO who needed to invest in technological solutions. Other mitigation strategies, especially those focused on the human factor, were widely ignored.
In more recent years, numerous studies have highlighted the importance of fomenting a cyber security awareness culture within an organization with employee education at its foundation. If most medium to large corporations have since established such training programs, why is the number and severity of data breaches continuing to grow?
Does that mean that the focus on education is misplaced? Absolutely not. However, it does appear to be poorly implemented. At the core of this issue is whether employees truly understand the problem and grasp their respective roles in helping to protect their organization from a potential breach.
What I have found is that the majority of organizations structure cybersecurity training into annual compliance training. It is required training that an employee must take to ensure that they retain their job. To “comply,” they are required to watch one or more videos and correctly answer a series of questions. They usually take this training on demand while at their workstation and frequently while multi-tasking other responsibilities. If they do not obtain a passing score, they can retake the test without penalty. Once they obtain a passing score, they can download the certificate and provide it to their management. They have checked the box for another year and their management has also checked the box to ensure that the training was delivered.
But how much of this training is really retained? Not enough. I invite the reader to think back to the numerous courses taken during their career, whether at the university or in a professional setting. There were likely courses which you immediately perceived as being of personal value versus those courses which were only taken to fulfill a requirement. Did you treat them with equal attention? From which of the two types of courses do you recall the most information?
The same argument can be made for cybersecurity training. Employees must see how they can personally benefit from such training. Just as organizations suffer devastating breaches from which they might not recover, so too do individuals. All employees can personally suffer from identity theft and other financial fraud. While employees perceive employer benefits in the form of remuneration and growth of their company matched 401K, what about organizations helping employees protect their wealth?
Employees should be sensitized to the various types of cybercriminals and their objectives. They should understand that such criminals will focus their targeting on individuals who are typically the most exposed on social media. Exposure does not only include the amount of personal information posted online. It also involves the respective privacy controls that employees must learn how to use on their media devices, especially regarding the numerous social media apps that they have downloaded.
Employees need to understand that these human hackers can use a variety of social engineering techniques to deliver an attack, whether through spear phishing, smishing, vishing or face-to-face interaction. They need to understand the increasing use of fake social media personas built with commonalities of the target employed as a very effective means to approach the target, garner their trust, and get them to undertake an action which will lead to compromise.
Once the employee understands the importance of cybersecurity hygiene for the protection of themselves and family members, they will more readily understand how it applies to their role as the first line of defense in the protection of the organizations they work for. Only with this approach can it appear as a win/win for the employer and employee while making the job of the cybercriminal that more challenging.