A critical part of improving a business’ cyber resilience is ensuring staff, including the executives and the board of directors, are all champions of promoting and driving awareness when it comes to cybersecurity.
Many company do have this understanding, and one way to measure the importance organizations are placing on cybersecurity is by expenditures. Gartner in May 2021 it expected that about $150.4 billion would be spent on security in 2021, a 12.4% increase from 2020, with security awareness education and phishing defense being a focus for many organizations.
It is quite understandable that spending is at this level when one considers that the average downtime a company experiences following a ransomware attack is 21 days, and the average cost to recover from such an attack is estimated at $2 million. The money spent on prevention will be repaid if an attack is prevented.
A company with better cybersecurity awareness and education has an improved chance of defending itself or in a worst-case scenario properly reacting to a cyberattack. This level of preparation includes embedding security across the business and aligning security to business objectives and strategies. This will help the company respond quickly to threats and continue to operate and recover during or post-attack.
Implementing a level of cyber resilience from top to bottom in an organization will ensure a shift in the security culture by enabling all personnel to help keep their organization secure.
This is particularly true when it comes to dealing with some of the more common dangers, such as phishing campaigns. The vast majority of successful cyberattacks start with a phishing email. Employees must learn to treat every email as potentially dangerous, making sure links and attachments are legitimate before clicking one.
But phishing is just one threat.
Another emerging problem organizations must prepare for through education and training is ransomware, and specifically when that malware involves a Ransomware as a Service (RaaS) operation.
RaaS is the sale or lease of ransomware malware by its developers. Making the malware available “off the shelf” allows less technically capable criminal organizations to launch sophisticated attacks. RaaS is worrisome as it broadens the potential pool of threat actors to anyone with the funding and desire to launch such an attack.
However, while training is a necessity, an organization must be careful how a regimen is implemented.
One issue that arises when training is increased and emphasized is employee training fatigue. The ever-increasing level of mandatory training and awareness delivered to staff covering corporate, legal, and regulatory topics can lead to this very important education being seen as nothing more than a tick-in-the-box exercise and drain employee interest to fully participate and engage with the subject.
To tackle this challenge, organizations must deliver training that is engaging, authentic, and tailored to that organization.
One way to help retain worker interest is to conduct a crisis simulation. Such activities give participants invaluable experience of reacting during a realistic simulation and enable them to collaborate and hone their skills in a safe and controlled environment.
Trustwave often facilitates Cyber Security Crisis Simulation Exercises. For each simulation workshop, the following considerations are made: