Just a decade ago, cybersecurity was a relative myth to the public – something taken care of by any old antivirus and certainly nothing to worry about. But as the internet age gathered momentum, rolling like a freight train on an endless slope, things changed. Cyber attackers were not perceived as hoodie-wearing teens with abundant spare time anymore, but seen for what they are: organized, often well-funded groups – and a genuine menace to society.
The evolving threat landscape has changed the way cybersecurity is viewed by businesses, too. No longer should it be handled by a select few while other employees move irresponsibly through the digital world; instead, it is something of which every employee must be aware. But traditional training models, whereby swathes of employees travel to one-day events periodically, are expensive – and not very practical either.
Costlier again is neglect. Look no further than the fabled WannaCry cyberattack, which caused estimated worldwide financial losses of up to $4 billion, to see the damage a well-executed assault can inflict. But while devastating (this was the biggest cyberattack in history), WannaCry at least served a purpose: it was a global wake-up call.
Typically, attacks like WannaCry are the result of poor cyber awareness, initiated when the uninitiated click links in malicious emails or unwittingly download harmful files. As far back as 1999, when the simple Melissa viruscaused $80 million in damages by infecting Microsoft Word documents, people have been inadvertently compromising networks and systems. In 2017, the Bad Rabbit malware that swept Russia and Ukraine was disguised as an Adobe Flash installer. When the innocent-looking file was opened, it began locking the infected computer – but this execution first required human interaction.
This shows that no matter how secure a business is, external attackers can force their way in through a single weakness. Consequentially, the biggest threat exists not outside the confines of an enterprise but within: its own people. Not because employees are nefarious (though that can of course be the case), but because 88% of data breaches are down to human error.
Better cyber awareness is key, but there are two glaring issues with providing training for every employee in an organization: time and money. These obstacles lead businesses to handpick those who will get the training they need (or the training it’s thought they need), leaving gaping security holes across the rest of the company. Easy pickings for an attacker with even modest social-engineering skills.
Solving this problem is not simple, but it can be done. Automated training that utilizes gamification can save companies huge amounts of money and time – especially if employees have 24/7 access to training that they genuinely enjoy. In 2012, for instance, US pharmacy Omnicare introduced gamification to its IT service desk and achieved a 100% participation rate, demonstrating the method’s effectiveness. It is especially useful for training non-specialist employees, who typically need more encouragement to engage with cybersecurity.
This type of innovative training also allows employees to learn at their own pace – something they can’t possibly do when crammed into some far-flung classroom and told to learn. The frequency (and intensity) of training required for general employees and those actively combating threats, for example CISOs and security analysts, will of course be different. But both will benefit more from access to relevant training than they will a policy in some long-forgotten employee handbook.
For the cyber experts, frequency of learning is hugely important. In anything, training must occur often to be effective, but cyber threats evolve so rapidly that combating them is impossible without constant evolution. That’s why automated, gamified solutions are so effective: employees can improve their skills on their own terms without disrupting company operations, which enables greater training frequency and, in turn, greater development. When considering that over half of all cyber experts feel their employers don’t provide sufficient training, an all-you-can-eat solution looks increasingly like the way forward.
Better still, such solutions are low-cost, low-investment. You will pay a one-off license fee for each employee, giving them everything they need to become cyber aware, without sacrificing huge amounts of time and money on quickly outdated training days. – Forbes