The key to cybersecurity education? Simulation programs
- Nearly all the respondents in a new survey (98%) said their organizations could benefit from added email security to prevent cyberattacks. Barracuda Networks, Inc. polled 630 professionals with email security responsibilities for their companies.
- Survey results show that most respondents want phishing simulation (63%), social engineering detection (62%), email encryption (60%) and data loss prevention (59%). All the respondents think user training is important, but just 77% are, in fact, training their workers. According to the survey, poor employee behavior (84%) is a bigger email security risk than inadequate tools (16%).
- Hatem Naguib, Barracuda’s senior vice president and general manager of security, said that phishing attacks are becoming stealthier and that their targets are shifting from big to smaller companies. Barracuda concludes from the survey that by training workers to recognize and avoid phishing attacks, companies of all sizes can help prevent data loss, email fraud and damage to their brand.
Organizations are beginning to use simulation to train employees in how to recognize and lessen the chances of a cyber attacker entering and damaging their organizations’ IT systems. IT security firm KnowBe4 uses simulated phishing attacks about once a month to keep employees aware of risks. In November 2017, the North American Electric Reliability Corp. (NERC) staged a mock cybersecurity breach attempt to test employees’ preparedness for an attack.
Companies have repeatedly said that employees’ negligent behavior is a big concern when it comes to cybersecurity breaches. A Willis Towers Watson report found that 66% of breaches are due to employees’ negligence or malfeasance. Outside threats came in second, at a distant 18%. When employees are allowed to use their personal devices, the threat of an attack increases — meaning employers need to be particularly keen on having a bring-your-own-device policy.
Preventing cybersecurity attacks is as much an HR responsibility as an IT one. Phishing and spoofing masterminds target HR departments for the personal employee data they maintain, including W-2 forms, financial information and other sensitive data.
HR professionals can team up with IT specialists to train and continuously test employees’ cyber knowledge. HR can lead prevention efforts by: 1) knowing their data and where it’s stored; 2) monitoring network activity and flagging abnormal behavior; 3) keeping track of vendors, service providers and other third-party affiliates who shouldn’t have access to company systems; and 4) using only authorized software.