Whilst organisations are spending more budget on securing their IT, there is still the human element which cannot be ignored. The ICO UKs Q2 2018/19 figures show that out of 675 cyber incidents reported, 367 were phishing attacks - that’s 54%.
Cyber attackers are focusing on employees as an easier way to infiltrate a company’s infrastructure. Who knows, it could be you one day.
The latest SANS report is the organisation’s first Security Awareness report. It was developed to show executives how they can improve their security awareness programme. Responses were collected from 1,718 awareness professionals across 65 countries from companies of different sizes.
The full report is available here but I have put together some of the highlights.
The first important fact is that SANS found that people, above technology, are the most effective at identifying internal threats. This could well be that once the threat has broken through the external firewalls and security systems, there isn’t an effective solution to manage threats inside the perimeter (Zinopy offers SIEM). But it does mean that your employees need to be extremely security aware.
So how do you measure the effectiveness of your security awareness programme?
- Identify the current goal – it should be realistic and achievable. It doesn’t need to be a page long either. Keep it short.
- Identify the metrics you will use to measure the goal.
- Evolve as the programme grows.
Leadership team support is key
SANS found that, unsurprisingly, executive support for the programme is vital and suggested a few ways that the leadership team can support it.
- Be first to take any training and let your team know you participated.
- Invest in it. Successful programs use a number of different training methods such as videos and phishing simulation emails. Make sure you have enough resources to meet your goals including staffing and training.
- Ensure the team has not only good organisational and technical skills, but also soft people skills as this will help them communicate and engage with others.
There are different levels of security awareness programmes. The more mature use a number of different areas including:
- Phishing training
- Targeted leadership training
- Computer-Based Training (CBT)
- Support materials such as newsletters, posters and games
Here’s a related post from Trilogy with very specific tips to measure the success of your security awareness programme.