How to build a successful security awareness training programme
Neglected security awareness allows the weaknesses and threats to your organisation to remain undetected . Businesses must re-evaluate their approach to security by creating targeted , seamless training programmes to help prevent security breaches . In this interview , Andrew Rose , Resident CISO , EMEA at Proofpoint , highlights the current challenges experienced by CISOs and the sophisticated attacks they are facing , and how an effective training programme can prevent security breaches .
Research seems to suggest human error is the biggest cause of security breaches – can you tell us more about that ?
The Verizon Data Breach Report suggested that 83 % of security breaches had a human cause . The World Economic Forum produced a report earlier in the year which said that 95 % of security breaches had a human cause .
It used to be that the data centre or the head office was at the core of your network and if you wanted to get access to the sensitive data , you ’ d come into the office and badger a way in . Now , everyone works from everywhere , using resources that aren ’ t just their own , like Microsoft , Google and Dropbox , and their data is all over the place . Now , the central core of an organisation is the user who has access to whatever they need , wherever and whenever they want , making the user even more tempting to the criminals . By stealing a user ’ s credentials , suddenly they have access to everything . That ’ s the reason the attackers focus on the human aspect of security , because staff are the central access point and they are capable of making errors .
What level of sophistication is being observed when it comes to social engineering attacks today ?
Attackers are not just sending the classic ‘ inheritance ’ email to us anymore , they are using behavioural science techniques to trigger emotional responses from users . We ’ ve seen some examples of attackers using an email stating that ‘ your partner is seeking divorce and they ’ ve been too embarrassed to speak to you about it . Please click on this link to see the reasons for the divorce ’. You can imagine this would be an incredibly emotional trigger and it would be hard to resist clicking through to see the information . We have also seen attacks on military and governmental organisations using the topical subject of Ukrainian refugees . Attackers will revise and change their content depending on what ’ s current .
How high on the agenda is employee education and awareness for today ’ s CISOs and why ?
Our recent Voice of the CISO Survey went out to 1,400 CISOs globally and asked what they perceive in terms of risks and what their priorities are in terms of controls . The top significant risk they wanted to prioritise was insider threats , including negligent users , malicious users and compromised users . In terms of control measures , information protection , security awareness , education and behaviour change are on their list of priorities for the next two years . These results show that CISOs recognise the gravity of the challenge at hand .
Andrew Rose , Resident CISO , EMEA , Proofpoint
However , only 60 % of CISOs think that employees understand their role in protecting the whole organisation . This is likely because awareness is still generally delivered by relatively junior staff within these enterprises and not given sufficient priority or resource . Although human error accounts for the majority of risks , only about 2 % of the budget is given to awareness training . This highlights that although security awareness remains high on CISOs ’ agenda , they still haven ’ t fully committed the right resources to deliver on that topic yet .
What are some of the existing challenges CISOs and their teams experience when it comes to planning and executing an effective security awareness training programme ?
Firstly , a lot of CISOs have grown up through a technical career path , so they ’ re much more comfortable dealing www . intelligentciso . com