Making Time for Ongoing Security Awareness Training
The human element, i.e., human fallibility, was behind most publicly-reported data breaches in 2022. It played a part in 82% of data breaches analyzed by Verizon Enterprise in its 2022 Data Breach Investigations Report (DBIR). Those incidents involved instances of phishing, the use of stolen credentials, misuse, and general errors.
Verizon's findings demonstrate how the human element is largely the easiest and most exploited vector that threat actors use to compromise victims, both opportunistically and in targeted attacks. The Multi-State Information Sharing and Analysis Center (MS-ISAC) routinely sees phishing and malspam take a leading position when it comes to infection rates. (Historically, these two infection vectors have led MS-ISAC's Top 10 Malware lists, and they still do so depending on that month's threat landscape.)
Additionally, MS-ISAC sees social engineering and other attempts to exploit the human element used by every type of threat actor irrespective of their level of sophistication. As an example, both novice attackers and state-sponsored groups routinely use spear-phishing to gain initial access. Once they gain access, that's typically where a divergence in the sophistication of tactics leveraged on the target becomes evident.
What's Behind the Human Element?
Part of the reason why human fallibility remains prevalent is a widespread lack of security awareness training. In 2021, the National Cybersecurity Alliance (NCSA) learned that 64% of U.S. and U.K. employees didn't have access to cybersecurity training or advice. Nearly half (48%) of respondents went on to admit they didn't know about security best practices like multi-factor authentication.
It goes without saying that this is a problem. Without proper levels of training training, employees can’t practice secure behavior, report potential threats to IT, and positively contribute to their organization’s security culture. But it also raises an important question: why is security awareness training lacking in the first place?
A Question of Expertise and Resources
One of the essential challenges of providing security awareness training is having the expertise and resources necessary to do so. Such is especially the case for U.S. State, Local, Tribal, and Territorial (SLTT) government organizations. These entities are close to the populations to whom they deliver critical goods and services. However, they are commonly underserved and under-protected, which puts their constituents at greater risk of security incidents that could significantly disrupt their lives.
Even then, having sufficient expertise and resources doesn't necessarily guarantee an effective security awareness training program. This is because time, not budget, continues to be the top challenge confronting awareness programs. Indeed, the SANS Institute learned that three-quarters of security awareness professionals spend less than half their time actually fostering awareness of security threats and protocols in the workplace, a reality that prevents many organizations from developing robust security cultures over the long term.
How to Make Time for Security Awareness Training
The key to emphasizing security awareness training is making the most of what's already available. The SANS Institute articulated this point in its report:
Don’t create a monthly newsletter yourself. Don’t build the solution yourself. The more you are able to delegate, the more time you have to create partnerships within your organization, engage with others and ultimately drive change with your program.
As part of the process, SLTTs can turn to the Center for Internet Security (CIS) and our history of advocating for security education. Take the CIS Critical Security Controls (CIS Controls) as an example. Among CIS Controls v8 is CIS Control 14: Security Awareness and Skills Training. It consists of nine Safeguards. The first instructs organizations to establish and maintain a security awareness and training program, while the remainder suggests that organizations focus their education efforts on social engineering, unintentional data exposure, and other potential IT security threats.
Additionally, SLTTs need to partner with others in the industry that help organizations of all types and sizes realize their security awareness training needs. This includes the SANS Institute. Together, CIS and SANS work together to ensure that information security practitioners in critical organizations have what they need to uphold U.S. national security. They also work to foster necessary levels of security awareness within SLTTs through online technical training courses, comprehensive security awareness training solutions, and other offerings so that these entities can defend themselves against common cyber attacks.
No Time Like Today
To help SLTTs with their security awareness efforts, CIS and SANS have announced a special discount. These government organizations can save over 50% on the training they need now through July 31, 2022.