This blog is part of the Board Oversight Series, an interactive collection of resources on Cyber Risk.
Cybercrime is the fastest-growing crime and it affects all types of businesses—public and private, large and small. Cyberattacks on companies are also increasing in size and sophistication, which is costing companies escalating sums in damage and prevention.
It’s important to remember that companies can’t protect all assets equally; an effective cybersecurity strategy is a game of prioritization. As companies determine where to invest their precious cybersecurity dollars, one statistic proves quite powerful (via PhishMe):
91% of successful data breaches originate from phishing emails.
Corporations have attempted to fight back over the last ten years by creating a new position of Chief Information Security Officers (CISO). CISOs typically direct the strategy, budget and operations for an organization’s cybersecurity efforts. As cyber education at today’s companies advances, organizations are beginning to recognize the heightened return on investment from implementing a cyber awareness training program for all employees and corporate partners. The goals of cyber awareness programs are to train all employees and individuals connected with the company to be aware of cybersecurity risks, to recognize attempts at cyberattacks, and to modify their behavior to aid in preventing cyberattacks.
Corporations Begin to Recognize the Urgency of Implementing Cyber Training Programs
According to the Ponemon Institute’s 2018 study, the average total cost of a data breach in 2018 was $3.68 million. This information is creating an urgency to fund and implement cyber awareness training programs on a company-wide basis.
Companies are learning more about the enormous costs and impact of unsuspecting cyberattacks, which includes direct costs (e.g., fines, legal fees, lost productivity, lost intellectual property, mitigation, remediation, incident response) and indirect costs (e.g., diminished brand equity, reduced goodwill, reduced market position, loss of competitive advantage)—that latter often having the most harmful long-term effects.
To date, corporations have spent less on training employees on cybersecurity awareness than any other category for cybersecurity, but that is projected to quickly change. Experts are predicting that 2018 will be the year that corporations and consumers band together to take a stance against cybercrime.
Cybersecurity Ventures projects that corporations will increase spending on cybersecurity efforts from $86.4 billion in 2017 to $93 billion in 2018. They also predict that companies will spend up to $10 billion on cybersecurity awareness by 2027, globally, which is up from just $ 1billion in 2014.
What Are Elements of a Good Cyber Training Program?
At its core, a good cyber awareness training program recognizes that employees and partners on every level need training to understand how their role influences the organization’s risk posture.
For the best defense against cyberattacks, corporations should require training for:
- Board directors
- Major shareholders
- Partners and others in the supply chain
- Governance, risk, and compliance professionals
- Internal and external legal counsel
- Product manufacturing and engineering
- Users of systems and data
- All employees
The first step in developing a cybersecurity awareness program is to identify the cybersecurity awareness needs of the company. Every company is unique; and the training programs of each organization should reflect the strengths and weaknesses inherent in the varying asset structures, IT systems, company cultures, etc. Corporations should conduct a business impact assessment and risk assessment to jumpstart this process. Training programs can then be designed around the company’s greatest risk areas and incorporate guidance that’s tailored to the company. Typical elements of a cyber training program include:
- Safe and proper use of electronic tools
- How to recognize and respond to phishing scams including spear phishing
- How to recognize tech support or other scams
- Signs and other red flags of fake web pages
- Best practices for email security and password protection
- How to recognize and respond to suspicions of malware
- Risks of social engineering
- Cybersecurity and mobile devices
- General behavioral changes
“A company’s first and sometimes last line of defense is its employees,” said Stan Kuciej, Director of Diligent’s Security Operations. “Keeping everyone up to date on how to recognize and how to react to attacks is must have today.”
Embracing the Evolution of Cyber Awareness Training
The rapid evolution of today’s cyber risk landscape will require the CISO and IT teams to assess and update the program frequently—often several times a year. Although difficult to benchmark, companies should attempt to outline metrics to measure the resulting impact of the training program on the company’s cybersecurity posture.
“A cyber security training program cannot be a one and done training,” said Diligent’s Kuciej. “It is important for cyber security awareness to be continuously reinforced to be effective.”
In this joint research project, the New York Stock Exchange and Diligent surveyed nearly 400 directors to understand how they communicate with other members of the board. Which practices are the most common? Which ones pose the greatest risk?